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Abstract 


This document describes how to manage physical and virtual Linux-based systems using the RHEL 
8 web console. The instructions assume that the server used for management is running in Red Hat 
Enterprise Linux 8. 


Table of Contents 


Table of Contents 


MAKING OPEN SOURCE MORE INCLUSIVE oo... ccc ccc cee eee HH e hh hn 6 
PROVIDING FEEDBACK ON RED HAT DOCUMENTATION ............ eee eee eee hn 7 
CHAPTER 1. GETTING STARTED USING THE RHEL WEB CONSOLE ...................................... 8 
1.1. WHAT IS THE RHEL WEB CONSOLE 8 
1.2. INSTALLING AND ENABLING THE WEB CONSOLE 9 
1.3. LOGGING IN TO THE WEB CONSOLE 9 


1.4. CONNECTING TO THE WEB CONSOLE FROM A REMOTE MACHINE n 
1.5. LOGGING IN TO THE WEB CONSOLE USING A ONE-TIME PASSWORD n 


1.6. RESTARTING THE SYSTEM USING THE WEB CONSOLE 12 
1.7. SHUTTING DOWN THE SYSTEM USING THE WEB CONSOLE 13 
1.8. CONFIGURING TIME SETTINGS USING THE WEB CONSOLE 14 
1.9. JOINING A RHEL 8 SYSTEM TO AN IDM DOMAIN USING THE WEB CONSOLE 15 
110. DISABLING SMT TO PREVENT CPU SECURITY ISSUES USING THE WEB CONSOLE 17 
1.11. ADDING A BANNER TO THE LOGIN PAGE 19 
112. CONFIGURING AUTOMATIC IDLE LOCK IN THE WEB CONSOLE 20 
CHAPTER 2. CONFIGURING THE HOST NAME IN THE WEB CONSOLE .................................. 22 
2.1. HOST NAME 22 
2.2. PRETTY HOST NAME IN THE WEB CONSOLE 22 
2.3. SETTING THE HOST NAME USING THE WEB CONSOLE 22 
CHAPTER З. RED HAT WEB CONSOLE ADD-ONS... ccc cece HH n e en 25 
ЗЛ. INSTALLING ADD-ONS 25 
3.2. ADD-ONS FOR THE RHEL 8 WEB CONSOLE 25 
CHAPTER 4. OPTIMIZING THE SYSTEM PERFORMANCE USING THE WEB CONSOLE .................. 26 
4.1. PERFORMANCE TUNING OPTIONS IN THE WEB CONSOLE 26 
4.2. SETTING A PERFORMANCE PROFILE IN THE WEB CONSOLE 26 
4.3. MONITORING PERFORMANCE USING THE WEB CONSOLE 27 
CHAPTER 5. REVIEWING LOGS IN THE WEB CONSOLE... ccc cece HH nn 29 
5.1. REVIEWING LOGS IN THE WEB CONSOLE 29 
5.2. FILTERING LOGS IN THE WEB CONSOLE 29 
5.3. TEXT SEARCH OPTIONS FOR FILTERING LOGS IN THE WEB CONSOLE 31 
5.4. USING A TEXT SEARCH BOX TO FILTER LOGS IN THE WEB CONSOLE 32 
5.5. OPTIONS FOR LOGS FILTERING 32 
CHAPTER 6. MANAGING USER ACCOUNTS IN THE WEB CONSOLE .................................... 35 
6.1. SYSTEM USER ACCOUNTS MANAGED IN THE WEB CONSOLE 35 
6.2. ADDING NEW ACCOUNTS USING THE WEB CONSOLE 35 
6.3. ENFORCING PASSWORD EXPIRATION IN THE WEB CONSOLE 36 
6.4. TERMINATING USER SESSIONS IN THE WEB CONSOLE 37 
CHAPTER 7. MANAGING SERVICES IN THE WEB CONSOLE ............. en 38 
71. ACTIVATING OR DEACTIVATING SYSTEM SERVICES IN THE WEB CONSOLE 38 
7.2. RESTARTING SYSTEM SERVICES IN THE WEB CONSOLE 39 
CHAPTER 8. CONFIGURING NETWORK BONDS USING THE WEB CONSOLE ........................... 41 
81. UNDERSTANDING NETWORK BONDING 4 
8.2. BOND MODES 41 
8.3. ADDING A NEW BOND USING THE WEB CONSOLE 42 
8.4. ADDING INTERFACES TO THE BOND USING THE WEB CONSOLE 44 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


8.5. REMOVING OR DISABLING AN INTERFACE FROM THE BOND USING THE WEB CONSOLE 
8.6. REMOVING OR DISABLING A BOND USING THE WEB CONSOLE 


CHAPTER 9. CONFIGURING NETWORK TEAMS USING THE WEB CONSOLE _....................... 


9.1. UNDERSTANDING NETWORK TEAMING 

9.2. COMPARISON OF NETWORK TEAMING AND BONDING FEATURES 

9.3. ADDING A NEW TEAM USING THE WEB CONSOLE 

9.4. ADDING NEW INTERFACES TO THE TEAM USING THE WEB CONSOLE 

9.5. REMOVING OR DISABLING AN INTERFACE FROM THE TEAM USING THE WEB CONSOLE 
9.6. REMOVING OR DISABLING A TEAM USING THE WEB CONSOLE 


CHAPTER 10. CONFIGURING NETWORK BRIDGES IN THE WEB CONSOLE _......................... 


10.1. ADDING BRIDGES IN THE WEB CONSOLE 

10.2. CONFIGURING A STATIC IP ADDRESS IN THE WEB CONSOLE 

10.3. REMOVING INTERFACES FROM THE BRIDGE USING THE WEB CONSOLE 
10.4. DELETING BRIDGES IN THE WEB CONSOLE 


CHAPTER 11. CONFIGURING VLANS IN THE WEB CONSOLE ....................................... 


CHAPTER 12. CONFIGURING THE WEB CONSOLE LISTENING PORT .............................. 


12.1. ALLOWING A NEW PORT ON A SYSTEM WITH ACTIVE SELINUX 
12.2. ALLOWING A NEW PORT ON A SYSTEM WITH FIREWALLD 
12.3. CHANGING THE WEB CONSOLE PORT 


CHAPTER 13. MANAGING FIREWALL USING THE WEB CONSOLE ................................. 


13.1. RUNNING FIREWALL USING THE WEB CONSOLE 

13.2. STOPPING FIREWALL USING THE WEB CONSOLE 

13.3. ZONES 

13.4. ZONES IN THE WEB CONSOLE 

13.5. ENABLING ZONES USING THE WEB CONSOLE 

13.6. ENABLING SERVICES ON THE FIREWALL USING THE WEB CONSOLE 
13.7. CONFIGURING CUSTOM PORTS USING THE WEB CONSOLE 

13.8. DISABLING ZONES USING THE WEB CONSOLE 


CHAPTER 14. APPLYING A GENERATED ANSIBLE PLAYBOOK .................................... 


CHAPTER 15. MANAGING PARTITIONS USING THE WEB CONSOLE ............................... 


15.1. DISPLAYING PARTITIONS FORMATTED WITH FILE SYSTEMS IN THE WEB CONSOLE 
15.2. CREATING PARTITIONS IN THE WEB CONSOLE 

15.3. DELETING PARTITIONS IN THE WEB CONSOLE 

15.4. MOUNTING AND UNMOUNTING FILE SYSTEMS IN THE WEB CONSOLE 


CHAPTER 16. MANAGING NFS MOUNTS IN THE WEB CONSOLE _................................... 


16.1. CONNECTING NFS MOUNTS IN THE WEB CONSOLE 
16.2. CUSTOMIZING NFS MOUNT OPTIONS IN THE WEB CONSOLE 


CHAPTER 17. MANAGING REDUNDANT ARRAYS OF INDEPENDENT DISKS IN THE WEB CONSOLE 


17.1. CREATING RAID IN THE WEB CONSOLE 

17.2. FORMATTING RAID IN THE WEB CONSOLE 

17.3. USING THE WEB CONSOLE FOR CREATING A PARTITION TABLE ON RAID 

17.4. USING THE WEB CONSOLE FOR CREATING PARTITIONS ON RAID 

17.5. USING THE WEB CONSOLE FOR CREATING A VOLUME GROUP ON TOP OF RAID 


CHAPTER 18. USING THE WEB CONSOLE FOR CONFIGURING LVM LOGICAL VOLUMES .......... 


18.1. LOGICAL VOLUME MANAGER IN THE WEB CONSOLE 
18.2. CREATING VOLUME GROUPS IN THE WEB CONSOLE 


Table of Contents 


18.3. CREATING LOGICAL VOLUMES IN THE WEB CONSOLE 95 
18.4. FORMATTING LOGICAL VOLUMES IN THE WEB CONSOLE 97 
18.5. RESIZING LOGICAL VOLUMES IN THE WEB CONSOLE 99 
18.6. ADDITIONAL RESOURCES 100 
CHAPTER 19. USING THE WEB CONSOLE FOR CONFIGURING THIN LOGICAL VOLUMES ............. 101 
19.1. CREATING POOLS FOR THIN LOGICAL VOLUMES IN THE WEB CONSOLE 101 
19.2. CREATING THIN LOGICAL VOLUMES IN THE WEB CONSOLE 102 
19.3. FORMATTING LOGICAL VOLUMES IN THE WEB CONSOLE 103 


CHAPTER 20. USING THE WEB CONSOLE FOR CHANGING PHYSICAL DRIVES IN VOLUME GROUPS .. 107 


20.1. ADDING PHYSICAL DRIVES TO VOLUME GROUPS IN THE WEB CONSOLE 107 
20.2. REMOVING PHYSICAL DRIVES FROM VOLUME GROUPS IN THE WEB CONSOLE 108 
CHAPTER 21. USING THE WEB CONSOLE FOR MANAGING VIRTUAL DATA OPTIMIZER VOLUMES .... 110 
211. VDO VOLUMES IN THE WEB CONSOLE ПО 
21.2. CREATING VDO VOLUMES IN THE WEB CONSOLE m 
21.3. FORMATTING VDO VOLUMES IN THE WEB CONSOLE 112 
21.4. EXTENDING VDO VOLUMES IN THE WEB CONSOLE 115 
CHAPTER 22. LOCKING DATA WITH LUKS PASSWORD IN THE RHEL WEB CONSOLE ................. 117 
22.1. LUKS DISK ENCRYPTION 17 
22.2. CONFIGURING THE LUKS PASSPHRASE IN THE WEB CONSOLE 118 
22.3. CHANGING THE LUKS PASSPHRASE IN THE WEB CONSOLE 119 


CHAPTER 23. CONFIGURING AUTOMATED UNLOCKING USING A TANG KEY IN THEWEB CONSOLE . 121 


CHAPTER 24. MANAGING SOFTWARE UPDATES IN THE WEB CONSOLE ............................. 125 
24.1. MANAGING MANUAL SOFTWARE UPDATES IN THE WEB CONSOLE 125 
24.2. MANAGING AUTOMATIC SOFTWARE UPDATES IN THE WEB CONSOLE 125 
24.3. MANAGING ON-DEMAND RESTARTING AFTER APPLYING SOFTWARE UPDATES IN THE WEB 
CONSOLE 126 

CHAPTER 25. MANAGING SUBSCRIPTIONS IN THE WEB CONSOLE ................................... 128 
25.1. SUBSCRIPTION MANAGEMENT IN THE WEB CONSOLE 128 
25.2. REGISTERING SUBSCRIPTIONS WITH CREDENTIALS IN THE WEB CONSOLE 128 
25.3. REGISTERING SUBSCRIPTIONS WITH ACTIVATION KEYS IN THE WEB CONSOLE 131 

CHAPTER 26. CONFIGURING KDUMP IN THE WEB CONSOLE ......................................... 135 
26.1. ADDITIONAL RESOURCES 135 
26.2. CONFIGURING KDUMP MEMORY USAGE AND TARGET LOCATION IN WEB CONSOLE 135 

CHAPTER 27. MANAGING VIRTUAL MACHINES IN THE WEB CONSOLE ............................... 138 
27.1. OVERVIEW OF VIRTUAL MACHINE MANAGEMENT USING THE WEB CONSOLE 138 
27.2. SETTING UP THE WEB CONSOLE TO MANAGE VIRTUAL MACHINES 138 
27.3. VIRTUAL MACHINE MANAGEMENT FEATURES AVAILABLE IN THE WEB CONSOLE 139 
27.4. DIFFERENCES BETWEEN VIRTUALIZATION FEATURES IN VIRTUAL MACHINE MANAGER AND THE WEB 
CONSOLE 140 

CHAPTER 28. MANAGING REMOTE SYSTEMS IN THE WEB CONSOLE ................................ 143 
28.1. REMOTE SYSTEM MANAGER IN THE WEB CONSOLE 143 
28.2. ADDING REMOTE HOSTS TO THE WEB CONSOLE 144 
28.3. REMOVING REMOTE HOSTS FROM THE WEB CONSOLE 147 
28.4. ENABLING SSH LOGIN FOR A NEW HOST 150 


CHAPTER 29. CONFIGURING SINGLE SIGN-ON FOR THE RHEL 8 WEB CONSOLE IN THEIDM DOMAIN 155 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


29.1. JOINING A RHEL 8 SYSTEM TO AN IDM DOMAIN USING THE WEB CONSOLE 155 
29.2. LOGGING IN TO THE WEB CONSOLE USING KERBEROS AUTHENTICATION 157 
29.3. ENABLING ADMIN SUDO ACCESS TO DOMAIN ADMINISTRATORS ON THE IDM SERVER 158 


CHAPTER 30. CONFIGURING SMART CARD AUTHENTICATION WITH THE WEB CONSOLE FOR CENTRALLY 


MANAGED USERS: зуу achete eene I a hc orb RR ON RR c RT ОН 6 ots sre a irat Rd e RR E eed 160 
30.1. SMART CARD AUTHENTICATION FOR CENTRALLY MANAGED USERS 160 
30.2. INSTALLING TOOLS FOR MANAGING AND USING SMART CARDS 161 
30.3. STORING A CERTIFICATE ON A SMART CARD 161 
30.4. ENABLING SMART CARD AUTHENTICATION FOR THE WEB CONSOLE 163 
30.5. LOGGING IN TO THE WEB CONSOLE WITH SMART CARDS 163 
30.6. LIMITING USER SESSIONS AND MEMORY TO PREVENT A DOS ATTACK 164 
30.7. ADDITIONAL RESOURCES 165 


Table of Contents 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


MAKING OPEN SOURCE MORE INCLUSIVE 


Red Hat is committed to replacing problematic language in our code, documentation, and web 
properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the 
enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. 


For more details, see our CTO Chris Wright's message. 


PROVIDING FEEDBACK ON RED HAT DOCUMENTATION 


PROVIDING FEEDBACK ON RED HAT DOCUMENTATION 


We appreciate your input on our documentation. Please let us know how we could make it better. To do 
SO: 


€ Forsimple comments on specific passages: 


1. Make sure you are viewing the documentation in the Multi-page HTML format. In addition, 
ensure you see the Feedback button in the upper right corner of the document. 


2. Use your mouse cursor to highlight the part of text that you want to comment on. 
3. Click the Add Feedback pop-up that appears below the highlighted text. 
4. Follow the displayed instructions. 
e Forsubmitting more complex feedback, create a Bugzilla ticket: 
1. Goto the Bugzilla website. 
2. As the Component, use Documentation. 


3. Fill in the Description field with your suggestion for improvement. Include a link to the 
relevant part(s) of documentation. 


4. Click Submit Bug. 
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CHAPTER 1. GETTING STARTED USING THE RHEL WEB 
CONSOLE 


Install the web console in Red Hat Enterprise Linux 8 and learn how to add remote hosts and monitor 
them in the RHEL 8 web console. 


Prerequisites 


e Installed Red Hat Enterprise Linux 8. 
e Enabled networking. 


€ Registered system with appropriate subscription attached. 
To obtain a subscription, see Managing subscriptions in the web console. 


1.1. WHAT IS THE RHEL WEB CONSOLE 


The RHEL web console is a Red Hat Enterprise Linux 8 web-based interface designed for managing and 
monitoring your local system, as well as Linux servers located in your network environment. 


RED HAT ENTERPRISE LINUX A ueterem 


[5] localhost.localdomain localhost.ocaldomain running Red Hat Enterprise Linux 8.2 Beta (Ootpa) 


Health Usage 


A Not Registered CPU н 8% of 1 CPU core 


Networking A Not connected to Insights Memory 14 GiB/ 18 GiB 
Podman Containers 
View graphs 


Accounts 


Services 


Configuration 


System information 


Applications 
Model QEMU Standard PC (Q35 * ICH9, Hostname localhost.localdomain 
Diagnostic Reports 2009) edit 
Kernel Dump Machine ID | 6c75e029993047eba776378d55 System time 2020-01-20 12:59 
0f2676 
Domain Join Domain 


The RHEL web console enables you a wide range of administration tasks, including: 
e Managing services 
e Managing user accounts 
e Managing and monitoring system services 


e Configuring network interfaces and firewall 
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e Reviewing system logs 

e Managing virtual machines 

€ Creating diagnostic reports 

€ Setting kernel dump configuration 
e Configuring SELinux 

€ Updating software 

e Managing system subscriptions 


The RHEL web console uses the same system APIs as you would in a terminal, and actions performed in 
a terminal are immediately reflected in the RHEL web console. 


You can monitor the logs of systems in the network environment, as well as their performance, displayed 
as graphs. In addition, you can change the settings directly in the web console or through the terminal. 


1.2. INSTALLING AND ENABLING THE WEB CONSOLE 
To access the RHEL 8 web console, first enable the cockpit.socket service. 
Red Hat Enterprise Linux 8 includes the RHEL 8 web console installed by default in many installation 


variants. If this is not the case on your system, install the cockpit package before enabling the 
cockpit.socket service. 


Procedure 


1. If the web console is not installed by default on your installation variant, manually install the 
cockpit package: 


| # yum install cockpit 
2. Enable and start the cockpit.socket service, which runs a web server: 
| # systemctl enable --now cockpit.socket 


3. If the web console was not installed by default on your installation variant and you are using a 
custom firewall profile, add the cockpit service to firewalld to open port 9090 in the firewall: 


# firewall-cmd --add-service=cockpit --permanent 
# firewall-cmd --reload 


Verification steps 


1. To verify the previous installation and configuration, open the web console. 


1.3. LOGGING IN TO THE WEB CONSOLE 


Use the steps in this procedure for the first login to the RHEL web console using a system user name 
and password. 
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Prerequisites 
e Use one of the following browsers for opening the web console: 


o Mozilla Firefox 52 and later 
o Google Chrome 57 and later 
o Microsoft Edge 16 and later 


ө System user account credentials 
The RHEL web console uses a specific PAM stack located at /etc/pam.d/cockpit. Authentication 
with PAM allows you to log in with the user name and password of any local account on the 
system. 
Procedure 
1. Open the web console in your web browser: 
e Locally: https://localhost:9090 


e Remotely with the server's hostname: https://example.com:9090 


e Remotely with the server's IP address: https://192.0.2.2:9090 
If you use a self-signed certificate, the browser issues a warning. Check the certificate and 
accept the security exception to proceed with the login. 


The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last 
file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, 
install a certificate signed by a certificate authority (CA). 


2. In the login screen, enter your system user name and password. 


RedHat 
Enterprise Linux 


Red Hat Enterprise Linux 


User name 


euser 


Password 


v Reuse my password for privileged tasks 


> Other Options 


Server: localhost.localdomain 


Log in with your server user account. 


3. Optionally, click the Reuse my password for privileged tasksoption. 
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If the user account you are using to log in has sudo privileges, this makes it possible to perform 
privileged tasks in the web console, such as installing software or configuring SELinux. 


4. Click Log In. 


After successful authentication, the RHEL web console interface opens. 


1.4. CONNECTING TO THE WEB CONSOLE FROM A REMOTE MACHINE 


It is possible to connect to your web console interface from any client operating system and also from 
mobile phones or tablets. 


Prerequisites 
ө Device with a supported internet browser, such as: 
o Mozilla Firefox 52 and later 
o Google Chrome 57 and later 
o Microsoft Edge 16 and later 


e RHEL 8 server you want to access with an installed and accessible web console. For more 
information about the installation of the web console see Installing the web console. 


Procedure 
1. Open your web browser. 
2. Type the remote server's address in one of the following formats: 
a. With the server's host name: server.hostname.example.com:port number 
b. With the server's IP address: server.IP address:port number 


3. After the login interface opens, log in with your RHEL machine credentials. 


1.5. LOGGING IN TO THE WEB CONSOLE USING A ONE-TIME 
PASSWORD 


If your system is part of an Identity Management (IdM) domain with enabled one-time password (OTP) 
configuration, you can use an OTP to log in to the RHEL web console. 


IMPORTANT 


It is possible to log in using a one-time password only if your system is part of an Identity 
Management (IdM) domain with enabled OTP configuration. For more information about 
OTP in IdM, see One-time password in Identity Management. 


Prerequisites 


e The RHEL web console has been installed. 
For details, see Installing the web console. 


e An Identity Management server with enabled OTP configuration. 


T1 
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For details, see One-time password in Identity Management. 


€ Aconfigured hardware or software device generating OTP tokens. 


Procedure 
1. Open the RHEL web console in your browser: 
e Locally: https://localhost:PORT NUMBER 


e Remotely with the server hostname: https://example.com:PORT NUMBER 


e Remotely with the server IP address: 
https://EXAMPLE.SERVER.IP.ADDR:PORT NUMBER 
If you use a self-signed certificate, the browser issues a warning. Check the certificate and 
accept the security exception to proceed with the login. 


The console loads a certificate from the /etc/cockpit/ws-certs.d directory and uses the last 
file with a .cert extension in alphabetical order. To avoid having to grant security exceptions, 
install a certificate signed by a certificate authority (CA). 

2. The Login window opens. In the Login window, enter your system user name and password. 


3. Generate a one-time password on your device. 


4. Enter the one-time password into a new field that appears in the web console interface after 
you confirm your password. 


5. Click Log in. 


6. Successful login takes you to the Overview page of the web console interface. 


1.6. RESTARTING THE SYSTEM USING THE WEB CONSOLE 


You can use the web console to restart a RHEL system that the web console is attached to. 


Prerequisites 


€ The web console is installed and accessible. 
For details, see Installing the web console. 


Procedure 


1. Log into the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Overview. 


3. Click the Restart restart button. 
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RED HAT ENTERPRISE LINUX © Example User ~ 


localhost.localdomain running Red Hat Enterprise Linux 8.2 Beta (Ootpa) 


Health Usage 


A Not Registered CPU = 18% of 2 CPUs 


A Not connected to Insights 
Memory С] 14/18 СІВ 


View graphs 


4. If any users are logged into the system, write a reason for the restart in the Restart dialog box. 


5. Optional: In the Delay drop down list, select a time interval. 


Restart 


Delay 1 Minute 


1 Minute 


5 Minutes 


20 Minutes 


6. Click Restart. 


1.7. SHUTTING DOWN THE SYSTEM USING THE WEB CONSOLE 


You can use the web console to shut down a RHEL system that the web console is attached to. 


Prerequisites 


€ The web console is installed and accessible. 
For details, see Installing the web console. 


Procedure 


1. Log into the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Overview. 


3. In the Restart drop down list, select Shut Down. 
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RED HAT ENTERPRISE LINUX 


E localhost.localdo 


localhost.localdomain running Red Hat Enterprise Linux 8.2 Beta(Ootpa) Restart ~ 


Q Searc Restart 
Shutdown 
Overview Health Usage 
Logs 1 
›0 А Not Registered CPU ' 496 of 2 CPUs 
Storage A Not connected to Insights 
z Memory =a 14/18 GiB 
Networking 
=== View graphs 


Containers 


4. If any users are logged in to the system, write a reason for the shutdown in the Shut Down 
dialog box. 


5. Optional: In the Delay drop down list, select a time interval. 


6. Click Shut Down 


1.8. CONFIGURING TIME SETTINGS USING THE WEB CONSOLE 


You can set a time zone and synchronize the system time with a Network Time Protocol (NTP) server. 


Prerequisites 


€ The web console is installed and accessible. 
For details, see Installing the web console. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


. Click the current system time in Overview. 


RED HAT ENTERPRISE LINUX © Exaile Leer « 


Im Not connected to Insights 
E mymachine А 9 Memory =] 15/18 GiB 


а сеа View graphs 


Overview 


Logs System information Configuration 


Storage 
Model QEMU Standard PC (Q35 * ICH9, Hostname mymachine 
Networking 2009) (mymachine.idm.example.com) 


edit 
Podman Machine ID — 9fa031b4e58948b09dl3eGecd3blc9 


Containers de Systemtime 2020-03-23 21:44 


Accounts Domain Join Domain 


3. In the Change System Time dialog box, change the time zone if necessary. 


4. In the Set Time drop down menu, select one of the following: 
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Manually 

Use this option if you need to set the time manually, without an NTP server. 
Automatically using NTP server 

This is a default option, which synchronizes time automatically with the preset NTP servers. 
Automatically using specific NTP servers 


Use this option only if you need to synchronize the system with a specific NTP server. 
Specify the DNS name or the IP address of the server. 


5. Click Change. 


RED HAT ENTERPRISE LINUX - а Example User = 


E mymachine 
Change System Time 


Time Zone Europe/Prague 
Overview 


Set Time Automatically using NTP 
Manually 


Automatically using NTP 


Verification steps 


€ Check the system time displayed in the System tab. 


Additional resources 


e Using the Chrony suite to configure NTP . 


1.9. JOINING A RHEL 8 SYSTEM TO AN IDM DOMAIN USING THE WEB 
CONSOLE 


You can use the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management 
(IdM) domain. 


Prerequisites 


e TheldM domain is running and reachable from the client you want to join. 


€ You have the IdM domain administrator credentials. 


Procedure 


1. Log into the RHEL web console. 
For details, see Logging in to the web console . 


2. Open the System tab. 


3. Click Join Domain. 
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[E] webconsole Hardware QEMU Standard PC H Ora CRU RONE 
100 


(I440FX + PIIX, 1996) 


System Machine ID e89c7da66c204ec3a... 


g System Red Hat Enterprise 
Linux 8.0 
(Ootpa) 
Memory & Swap 
System Up To Date 
Keys Show fingerprints 
Мате webconsole (webco... 


Domain Join Domain 


e 2019-02-04 13:51 Ө 


Restart ~ KiB/s Disk МО 


4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address 
field. 


5. In the Authentication drop down list, select if you want to use a password or a one-time 
password for authentication. 


Join a Domain 


Domain Address | server.idm.example.com 


Authentication | One Time Password v | 


One Time Password | Administrator Password 


One Time Password 


6. In the Domain Administrator Name field, enter the user name of the IdM administration 
account. 


7. In the password field, add the password or one-time password according to what you selected in 
the Authentication drop down list earlier. 


8. Click Join. 
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Join a Domain 


Domain Address | server.idm.example.com 


Authentication | Administrator Password v 


Domain Administrator Name | admin 


Verification steps 


1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM 
domain and you can see the domain name in the System screen. 


2. To verify that the user is a member of the domain, click the Terminal page and type the id 
command: 


$ id 
euid-548800004(example user) gid-548800004(example user) 
groups-548800004(example user) сопіехі=ипсопїпеа u:unconfined r:unconfined t:sO- 
s0:c0.c1023 
Additional resources 
e Planning Identity Management 


e Installing Identity Management 


e Configuring and managing Identity Management 


1.10. DISABLING SMT TO PREVENT CPU SECURITY ISSUES USING THE 
WEB CONSOLE 


Disable Simultaneous Multi Threading (SMT) in case of attacks that misuse CPU SMT. Disabling SMT 
can mitigate security vulnerabilities, such as LITF or MDS. 


IMPORTANT 


Disabling SMT might lower the system performance. 


Prerequisites 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


17 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click System. 


3. In the Hardware item, click the hardware information. 


Е] localhost Hardware LENOVO 2018520800 


Click to see system hardware 


information 93edb0ef5 


Operating System 


System Up To Date 


Secure Shell Keys Show fingerprints 
Host Name localhost.localdomain 
Domain join Domain 
System Time 2019-07-01 17:51 @ 
Power Options | Restart v 


Performance Profile desktop 


4. In the CPU Security item, click Mitigations. 
If this link is not present, it means that your system does not support SMT, and therefore is not 
vulnerable. 


5. In the CPU Security Toggles switch on the Disable simultaneous multithreading (nosmt) 
option. 


CPU Security Toggles 
Software-based workarounds help prevent CPU security issues. These mitigations have the side 


effect of reducing performance. Change these settings at your own risk. 


Disable simultaneous multithreading (nosmt) eo 
(7 Read more... 


Cancel Save and reboot 


6. Click on the Save and rebootbutton. 


After the system restart, the CPU no longer uses SMT. 


Additional resources 


e LITF -L1 Terminal Fault Attack - CVE-2018-3620 & CVE-2018-3646 
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e MDS - Microarchitectural Data Sampling - CVE-2018-12130, CVE-2018-12126, CVE-2018-12127, 
and CVE-2019-11091 


1.11. ADDING A BANNER TO THE LOGIN PAGE 

Companies or agencies sometimes need to show a warning that usage of the computer is for lawful 
purposes, the user is subject to surveillance, and anyone trespassing will be prosecuted. The warning 
must be visible before login. Similarly to SSH, the web console can optionally show the content of a 


banner file on the login screen. To enable banners in your web console sessions, you need to modify the 
letc/cockpit/cockpit.conf file. Note that the file is not required and you may need to create it manually. 


Prerequisites 


e The web console is installed and accessible. For details, see Installing the web console. 


e You must have sudo privileges. 


Procedure 


1. Create the /etc/issue.cockpit file in a text editor of your preference if you do not have it yet. 
Add the content you want to display as the banner to the file. 
Do not include any macros in the file as there is no re-formatting done between the file content 
and the displayed content. Use intended line breaks. It is possible to use ASCII art. 


2. Save the file. 


3. Open or create the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your 
preference. 


| $ sudo vi cockpit.conf 
4. Add the following text to the file: 


Banner=/etc/issue.cockpit 


| [Session] 


5. Save the file. 


6. Restart the web console for changes to take effect. 
| # systemctl try-restart cockpit 
Verification steps 
€ Open the web console login screen again to verify that the banner is now visible. 


Example 1.1. Adding an example banner to the login page 


1. Create an /etc/issue.cockpit file with a desired text using a text editor: 


| This is an example banner for the RHEL web console login page. 


2. Open or create the /etc/cockpit/cockpit.conf file and add the following text: 
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[Session] 
Banner=/etc/issue.cockpit 


3. Restart the web console. 


4. Open the web console login screen again. 


A This is an example banner for the RHEL web console login page. 


Red Hat 
Enterprise Linux 


Red Hat Enterprise Linux 


User name 


Password 


«4 Reuse my password for remote connections 


> Other Options 


Server: mymachine.idm.example.com 


Log in with your server user account. 


1.12. CONFIGURING AUTOMATIC IDLE LOCK IN THE WEB CONSOLE 
By default, there is no idle timeout set in the web console interface. If you wish to enable an idle timeout 


on your system, you can do so by modifying the /etc/cockpit/cockpit.conf configuration file. Note that 
the file is not required and you may need to create it manually. 


Prerequisites 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


e You must have sudo privileges. 


Procedure 


1. Open or create the cockpit.conf file in the /etc/cockpit/ directory in a text editor of your 
preference. 


| $ sudo vi cockpit.conf 


2. Add the following text to the file: 
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[Session] 
IdleTimeout-X 


Substitute X with a number for a time period of your choice in minutes. 
3. Save the file. 


4. Restart the web console for changes to take effect. 


| # systemctl try-restart cockpit 


Verification steps 


e Check if the session logs you out after a set period of time. 
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CHAPTER 2. CONFIGURING THE HOST NAME IN THE WEB 
CONSOLE 


Learn how to use the RHEL 8 web console to configure different forms of the host name on the system 
that the web console is attached to. 


2.1. HOST NAME 


The host name identifies the system. By default, the host name is set to localhost, but you can change 
it. 


A host name consists of two parts: 


Host name 
It is a unique name which identifies a system. 
Domain 


Add the domain as a suffix behind the host name when using a system in a network and when using 
names instead of just IP addresses. 


A host name with an attached domain name is called a fully qualified domain name (FQDN). For 
example: mymachine.example.com. 


Host names are stored in the /etc/hostname file. 


2.2. PRETTY HOST NAME IN THE WEB CONSOLE 


You can configure a pretty host name in the RHEL web console. The pretty host name is a host name 
with capital letters, spaces, and so on. 


The pretty host name displays in the web console, but it does not have to correspond with the host 
name. 


Example 2.1. Host name formats in the web console 


Pretty host name 
My Machine 
Host name 
mymachine 
Real host name - fully qualified domain name (FQDN) 


mymachine.idm.company.com 


2.3. SETTING THE HOST NAME USING THE WEB CONSOLE 


This procedure sets the real host name or the pretty host name in the web console. 


Prerequisites 


€ The web console is installed and accessible. 
For details, see Installing the web console. 
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Procedure 


1. Log into the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Overview. 


3. Click edit next to the current host name. 


@ Overview - localhost.loc- X | + 


€ C ù G) localhost:9090/systen ө in O © 


RED HAT ENTERPRISE LINUX A Example User © 


Health Usage 


A Not Registered CPU 1% of 2 CPUs 


A Not connected to Insights 
Memory 14/18 GiB 


Overview 
View graphs 


System information Configuration 


Model QEMU Standard PC (Q35 + ICH9, Hostname localhost localdomain[edit] 
2009) 
System time 2020-03-17 09:53 
Machine ID ..9fa031b4e58948bO09dl3e6Gecd3blc9 


de Domain Join Domain 
Performance profile ^ virtual-guest 
Applications 


Secure Shell keys Show fingerprints 


PCP 
View hardware details c Enable stored metrics 


4. In the Change Host Name dialog box, enter the host name in the Pretty Host Name field. 


5. The Real Host Name field attaches a domain name to the pretty name. 
You can change the real host name manually if it does not correspond with the pretty host 
name. 


6. Click Change. 


RED HAT ENTERPRISE LINUX © Example User * 


E loce 
Change Host Name 


Q 


Pretty Host Name mymachine 


Overview 


Real Host Name mymachine.idm.example.com 
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Verification steps 


1. Log out from the web console. 


2. Reopen the web console by entering an address with the new host name in the address bar of 
your browser. 


@ mymachine.idm.example X | + 


— CŒ Ф@ © & example.com 


Red Hat 
Enterprise Linux 


Red Hat Enterprise Linux 


User name 


Password 


v Reuse my password for privileged tasks 


> Other Options 


Server: mymachine.idm.example.com 


Log in with your server user account. 


CHAPTER 3. RED HAT WEB CONSOLE ADD-ONS 


CHAPTER 3. RED HAT WEB CONSOLE ADD-ONS 


Install add-ons in the RHEL 8 web console and learn what add-on applications are available for you. 


3.1. INSTALLING ADD-ONS 


The cockpit package is a part of Red Hat Enterprise Linux 8 by default. To be able to use add-on 
applications you must install them separately. 


Prerequisites 


e Installed and enabled cockpit package. If you need to install web console first, check the 
installation section. 


Procedure 


e |nstall an add-on. 


| # yum install <add-on> 


3.2. ADD-ONS FOR THE RHEL 8 WEB CONSOLE 


The following table lists available add-on applications for the RHEL 8 web console. 


Feature name Package name Usage 


Composer cockpit-composer Building custom OS images 

Dashboard cockpit-dashboard Managing multiple servers in one 
UI 

Machines cockpit-machines Managing libvirt virtual machines 

PackageKit cockpit-packagekit Software updates and application 
installation (usually installed by 
default) 

PCP cockpit-pcp Persistent and more fine-grained 


performance data (installed on 
demand from the UI) 


podman cockpit-podman Managing podman containers 
(available from RHEL 8.1) 


Session Recording cockpit-session-recording Recording and managing user 
sessions 
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CHAPTER 4. OPTIMIZING THE SYSTEM PERFORMANCE 
USING THE WEB CONSOLE 


Learn how to set a performance profile in the RHEL 8 web console to optimize the performance of the 
system for a selected task. 


4.1. PERFORMANCE TUNING OPTIONS IN THE WEB CONSOLE 


Red Hat Enterprise Linux 8 provides several performance profiles that optimize the system for the 
following tasks: 


e Systems using the desktop 
e Throughput performance 
€ Latency performance 
e Network performance 
€ Low power consumption 
e Virtual machines 
The tuned service optimizes system options to match the selected profile. 


In the web console, you can set which performance profile your system uses. 


Additional resources 


€ Getting started with Tuned 


4.2. SETTING A PERFORMANCE PROFILE IN THE WEB CONSOLE 


This procedure uses the web console to optimize the system performance for a selected task. 


Prerequisites 


e Make sure the web console is installed and accessible. For details, see Installing the web 
console. 


Procedure 
1. Log into the RHEL 8 web console. For details, see Logging in to the web console . 
2. Click Overview. 


3. In the Performance Profile field, click the current performance profile. 
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Health Usage System information Configuration 


А натына cpu o% of 8 CPUs Model GEMU Standard PC (440 Fx + PIX, Hostname lecalhostiocaldomain edit 
A Not connected to Insights 1996) 
mum — 06/08CiB System time Mar 16, 2021257 PM €) 
Mach 
uae cc7elf44fc014862a204a32cfec9033d 


Uptime 9 minutes 


View details and history View hardware details 


4. In the Change Performance Profile dialog box, change the profile if necessary. 


5. Click Change Profile. 


Change performance profile 


Verification steps 


e The Overview tab now shows the selected performance profile. 


4.3. MONITORING PERFORMANCE USING THE WEB CONSOLE 
Red Hat's web console uses the Utilization Saturation and Errors (USE) Method for troubleshooting. 
The new performance metrics page has a historical view of your data organized chronologically with the 


newest data at the top. 


Here, you can view the events, errors, and graphical representation for resource utilization and 
saturation. 


Prerequisites 


1. Make sure the web console is installed and accessible. For details, see Installing the web 
console. 


2. Install the cockpit-pcp package, which enables collecting the performance metrics: 


| # yum install cockpit-pcp 


Procedure 
1. Log into the RHEL 8 web console. For details, see Logging in to the web console . 


2. Click Overview. 
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root@ 
А Нер * [2] - 
localhostlocaldomain © Hep 


Restart ~ 
Overview 
Health Usage System information Configuration 
Logs 
А Not registered ceu O% of 8 CPUs Model QEMU Standard PC (j440FX + PIX, Hostname localhostlocaldomain edit 
Stora Not connected to Insights 1299) 
А 9 Mentory — 06/08ciB System time Mar16, 2021257 PM @ 
Machi 
ID  ec7elf44fc014862a204a32cfec9033d Borah isak 
Uptime Suniriatés Performance profile — virtual-guest 
Secure shellkeys Show fingerprints 
Store metrics 
View details and history View hardware details о 


root E 
localhost.localdomain elp ө 


Overview > Performance Metrics 


CPU Memory Disks Network 
Overview 
8 CPUs % RAM 01 GiB available Read — 434KiB/s Write 186 B/s Interface In Out 
P мии“ 
Logs virbro o o 
Load 1 min: 038, 5 min: 0.44, 15 min: 0.34 Sree € ema o с 
Su Swap. 0.0 GiB available Ө 
Storage ee] " бек» зң» 
КООР /boot 810 MB free. virbro-nic o o 
jetworking Service Used = 
Podman containers grafana-server 478MB 
user@1000 264MB 
sssd-kem 232MB 
pmcd 215 MB 
pmproxy 140 MB 


root 


localhost.localdomain 


5 Today ~ . ЕРЫ P Menar. Disks Network 
stem 
erview 
Swap 258 PM 
Logs | | 
Swap | | | 
Sch Swap 257 PM а 1 
а Swap 2:56 PM |- 
Swap 2:55PM n Iu 
Networking 
Swap | 
Podman containers Мете spike жари 
Swap 
Accounts РЕВ L 
Memory spike 252 PM 
vices Swap 
Swap 
Disk 1/0 spike L- = d 
Te Swap 2:51 PM | 
Memory spike 2:50 PM [s Ж] | 
Applications Memory spike 
Diagnostic Report: Network I/O spike 9 lis 4 
Load spike 2:49 PM 
Kernel Dump Memory spike 
Memory spike 
SELinux Swap 
Disk I/O spike 
Software Updates Network I/O spike 2:48 PM 1 


Subscriptions 


Termin 
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CHAPTER 5. REVIEWING LOGS IN THE WEB CONSOLE 


Learn how to access, review and filter logs in the RHEL 8 web console. 


5.1. REVIEWING LOGS IN THE WEB CONSOLE 


The RHEL 8 web console Logs section is a UI for the journalctl utility. This section describes how to 
access system logs in the web console interface. 


Prerequisites 
e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Click Logs. 
eus v Administrative access © Help ” © > 


localhost.localdom... 


Q Sear Priority Identifier 
Time ~ Error and above > All * 
System 
Text 
priority:err © 
July 22, 2020 
А 10:02 AM  euser:a password is required; TTY-unknown ; PWD=/run/user/1000 ; USE... 
A 7:49 AM Process 1271 (systemd-machine) of user O dumped core. Stack trace of thr 


A z T а n" iat ani t noua 


3. Open log entry details by clicking on your selected log entry in the list. 


p = 


NOTE 


You can use the Pause button to pause new log entries from appearing. Once you 
resume new log entries, the web console will load all log entries that were reported after 


you used the Pause button. 


You can filter the logs by time, priority or identifier. For more information, see Section 5.2, "Filtering logs 
in the web console". 


5.2. FILTERING LOGS IN THE WEB CONSOLE 


This section shows how to filter log entries in the web console. 


Prerequisites 


e The web console interface must be installed and accessible. 
For details, see Installing the web console. 
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Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Logs. 


3. By default, web console shows the latest log entries. To filter by a specific time range, click the 
Time drop-down menu and choose a preferred option. 


eusera 
um = Administrative access Ө, Help ~ 
mymachine.idm.exa... 


Priority Identifier 


Info and above v All ы 


Logs 


Current boot 
Previous boot l © 
Last 24 hours 


Last 7 days 
d dnf makecache 


4. Error and above severity logs list is shown by default. To filter by different priority, click the 
Error and above drop-down menu and choose a preferred priority. 


euser 
ыб. ®, X Administrative access © Help ~ 
mymachine.idm.exa... 


Priority Identifier 


Logs 
Time ~ iError and above v All - 


Only Emergen 
Text y ET 


Alert and above 
priority:err © 


Critical and above 
Error and above 


July 22,202! warning and above 


> 


Notice and above red; TTY=unknown ; PWD=/run/user/1000 ; USER ‹ ap 
н Info and above 
A 7:49 Al achine) of user О dumped core. Stack trace of thr 
Debug and above 
A 7:49 AM ^ systemd-journald.service: Watchdog timeout (limit 3min)! 


5. By default, web console shows logs for all identifiers. To filter logs for a particular identifier, click 
the All drop-down menu and select an identifier. 


euserG 
-» Administrative access © Help * z 


mymachine.idm.exa... 


Priority Identifier 
Time v Error and above ы All |F 
All 
Text 
priority:err Боої:О © 
kernel 
smartd 
July 22, 2020 sudo 
Å 10:02 AM euser:a password is requirei systemd n/user/1000 ; USER €o 
] systemd-coredump 
A :49 AM Process 1271 (systemd-mack...—,.—..———. LLL... Stack trace of thr... 


6. To open a log entry, click on a selected log. 
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5.3. TEXT SEARCH OPTIONS FOR FILTERING LOGS IN THE WEB 
CONSOLE 


The text search option functionality provides a big variety of options for filtering logs. If you decide to 
filter logs by using the text search, you can use the predefined options that are defined in the three 
drop-down menus, or you can type the whole search yourself. 


Drop-down menus 


There are three drop-down menus that you can use to specify the main parameters of your search: 


e Time: This drop-down menu contains predefined searches for different time ranges of your 
search. 


€ Priority: This drop-down menu provides options for different priority levels. It corresponds to 
the journalctl --priority option. The default priority value is Error and above. It is set every 
time you do not specify any other priority. 


e Identifier: In this drop-down menu, you can select an identifier that you want to filter. 
Corresponds to the journalctl --identifier option. 


Quantifiers 


There are six quantifiers that you can use to specify your search. They are covered in the Options for 
filtering logs table. 


Log fields 


If you want to search for a specific log field, it is possible to specify the field together with its content. 


Free-form text search in logs messages 


You can filter any text string of your choice in the logs messages. The string can also be in the form of a 
regular expressions. 


Advanced logs filtering I 


Filter all log messages identified by 'systemd' that happened since October 22, 2020 midnight and 
journal field JOB TYPE'is either 'start' or 'restart. 


1 Type identifier:systemd since:2020-10-22 JOB TYPEzstart,restart to search field. 


2. Check the results. 


Time ~ Priority — Info and above М Identifier — All ~ Text ргіогіїу:іпѓо service:cockpit boot:-1 error[fail [9] Resume 


October 2, 2020 


11:13 AM cockpit-tls: gnutls handshake failed: Error in the push function. 


t 

11:13 AM cockpit-tls: gnutls handshake failed: The TLS connection was non-properly terminated cockpit-tls 
8:33 AM cockpit-tls: gnutls handshake failed: A TLS fatal alert has been received. t 
t 


з AM cockpit-tls: gnutls handshake failed: Error in the push function cockpit- 


Advanced logs filtering II 


Filter all log messages that come from 'cockpit.service' systemd unit that happened in the boot before 
last and the message body contains either "error" or "fail". 


1. Type service:cockpit boot:-1 error|fail to the search field. 


2. Check the results. 
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Time ~ Priority Error and above X Identifier systemd - Text ргіогіќу:егг identifier:systemd since:2020-10-22 JOB_TYPE=start,restart [9] Pause 
October 25, 2020 
A 1:10 AM Failed to start Process archive logs. systemd 
October 24, 2020 
A 2:21 AM Failed to start dnf makecache. systemd © | 
А. 1:10 AM Failed to start Process archive logs. ystemd 
October 23, 2020 
А. 2:08 AM Failed to start dnf makecache. ела @ 
A 1:10 AM Failed to start Process archive logs. systemd 
October 22,2020 
А. 1:56 AM Failed to start dnf makecache. systemd © 


A 1:10 AM Failed to start Process archive logs. systemd 


5.4. USING A TEXT SEARCH BOX TO FILTER LOGS IN THE WEB 
CONSOLE 


Using the text search box allows you to filter logs according to different parameters. The search 
combines usage of the filtering drop-down menus, quantifiers, log fields and free-form string search. 


Prerequisites 


e The web console interface must be installed and accessible. 
For details, see Installing the web console. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Logs. 


3. Use the drop-down menus to specify the three main quantifiers - time range, priority, and 
identifier(s) - you want to filter. 
The Priority quantifier always has to have a value. If you do not specify it, it automatically filters 
the Error and above priority. Notice that the options you set reflect in the text search box. 


4. Specify the log field you want to filter. 
It is possible to add several log fields. 


5. You can use a free-form string to search for anything else. The search box also accepts regular 
expressions. 


5.5. OPTIONS FOR LOGS FILTERING 


There are several journalctl options, which you can use for filtering logs in the web console, that may be 
useful. Some of these are already covered as part of the drop-down menus in the web console interface. 


Table 5.1. Table 


Option name Usage Notes 
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Option name Usage Notes 
priority Filter output by message Covered in the Priority drop- 
priorities. Takes a single numeric down menu. 


or textual log level. The log levels 
are the usual syslog log levels. If a 
single log level is specified, all 
messages with this log level or a 
lower (hence more important) log 
level are shown. 


identifier Show messages for the specified Coverediin the Identifier drop- 
syslog identifier down menu. 
SYSLOG IDENTIFIER. Can be 
specified multiple times. 


follow Shows only the most recent Not covered in a drop-down. 
journal entries, and continuously 
prints new entries as they are 
appended to the journal. 


service Show messages for the specified Is not covered in a drop-down. 
systemd unit. Can be specified Corresponds to the journalctl -- 
multiple times. unit parameter. 
boot Show messages from a specific Covered only as Current boot or 
boot. Previous boot in the Time drop- 
down menu. Other options need 
A positive integer will look up the to be written manually. 


boots starting from the beginning 
of the journal, and an equal-or- 
less-than zero integer will look up 
boots starting from the end of the 
journal. Thus, 1 means the first 
boot found in the journal in 
chronological order, 2 the second 
and so on; while -O is the last 
boot, -1the boot before last, and 
so on. 
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Option name Usage 


since Start showing entries on or newer 
than the specified date, or on or 
older than the specified date, 
respectively. Date specifications 
should be of the format "2012-10- 
30 18:17:16". If the time part is 
omitted, "00:00:00" is assumed. 
If only the seconds component is 
omitted, ":00" is assumed. If the 
date component is omitted, the 
current day is assumed. 
Alternatively the strings 
"yesterday", "today", "tomorrow" 
are understood, which refer to 
00:00:00 of the day before the 
current day, the current day, or 
the day after the current day, 
respectively. "now" refers to the 
current time. Finally, relative times 
may be specified, prefixed with "-" 
or "+", referring to times before or 
after the current time, 
respectively. 
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CHAPTER 6. MANAGING USER ACCOUNTS IN THE WEB 
CONSOLE 


The RHEL web console offers an interface for adding, editing, and removing system user accounts. 
After reading this section, you will know: 

e From where the existing accounts come from. 

e How to add new accounts. 

e How to set password expiration. 


е How and when to terminate user sessions. 


Prerequisites 


e Being logged into the RHEL web console with an account that has administrator permissions 
assigned. For details, see Logging in to the RHEL web console . 


6.1. SYSTEM USER ACCOUNTS MANAGED IN THE WEB CONSOLE 
With user accounts displayed in the RHEL web console you can: 

e Authenticate users when accessing the system. 

e Set the access rights to the system. 


The RHEL web console displays all user accounts located in the system. Therefore, you can see at least 
one user account just after the first login to the web console. 


After logging into the RHEL web console, you can perform the following operations: 
€ Create new users accounts. 
€ Change their parameters. 
€ Lock accounts. 


e Terminate user sessions. 


6.2. ADDING NEW ACCOUNTS USING THE WEB CONSOLE 


Use the following steps for adding user accounts to the system and setting administration rights to the 
accounts through the RHEL web console. 


Prerequisites 


e The RHEL web console must be installed and accessible. For details, see Installing the web 
console. 


Procedure 


1. Log in to the RHEL web console. 
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. Click Accounts. 
. Click Create New Account. 


. In the Full Name field, enter the full name of the user. 


The RHEL web console automatically suggests a user name from the full name and fills it in the 
User Name field. If you do not want to use the original naming convention consisting of the first 
letter of the first name and the whole surname, update the suggestion. 


. In the Password/Confirm fields, enter the password and retype it for verification that your 


password is correct. 
The color bar placed below the fields shows you security level of the entered password, which 
does not allow you to create a user with a weak password. 


. Click Create to save the settings and close the dialog box. 
. Select the newly created account. 


. Select Server Administrator in the Roles item. 


RED HAT ENTERPRISE LINUX © Example User © 


E mymachine 


Accounts 


Example User 


Q 
" Example User Terminate Session 
Overview 


Logs Full Name Example User 


Storage 


UserName  euser 


Networking 


Roles м Server Administrator 


Podman 
LastLogin Logged In 
Access Lock Account Never lock account 
Accounts 
Password | Set Password | Еогсе Сһапде | Never expire password 


Services 


Now you can see the new account in the Accounts settings and you can use the credentials to 
connect to the system. 


6.3. ENFORCING PASSWORD EXPIRATION IN THE WEB CONSOLE 


By default, user accounts have set passwords to never expire. You can set system passwords to expire 
after a defined number of days. When the password expires, the next login attempt will prompt for a 
password change. 


Procedure 


1. 


2. 
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Log in to the RHEL 8 web console. 


Click Accounts. 


. Select the user account for which to enforce password expiration. 


. In the user account settings, click Never expire password. 
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5. In the Password Expiration dialog box, select Require password change every ... daysand 
enter a positive whole number representing the number of days when the password expires. 


1. Click Change. 


Verification steps 


€ To verify that the password expiration is set, open the account settings. 
The RHEL 8 web console displays a link with the date of expiration. 


E mymachine 


Accounts > Example User 


Example User Terminate Session 


Full Name Example User 


User Name euser 
Roles (м Server Administrator 
LastLogin Logged n 


Access Lock Account Never lock account 
Accounts 


Password | Set Password J Force Change Require password change on Oct 20, 2020 


6.4. TERMINATING USER SESSIONS IN THE WEB CONSOLE 
A user creates user sessions when logging into the system. Terminating user sessions means to log the 
user out from the system. It can be helpful if you need to perform administrative tasks sensitive to 


configuration changes, for example, system upgrades. 


In each user account in the RHEL 8 web console, you can terminate all sessions for the account except 
for the web console session you are currently using. This prevents you from loosing access to your 
system. 


Procedure 


1. Log in to the RHEL 8 web console. 
2. Click Accounts. 
3. Click the user account for which you want to terminate the session. 


4. Click Terminate Session. 
If the Terminate Session button is inactive, the user is not logged in to the system. 


The RHEL web console terminates the sessions. 
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CHAPTER 7. MANAGING SERVICES IN THE WEB CONSOLE 


Learn how to manage system services in the RHEL 8 web console interface. You can activate or 
deactivate services, restart or reload them, or manage their automatic startup. 


7.1. ACTIVATING OR DEACTIVATING SYSTEM SERVICES IN THE WEB 
CONSOLE 


This procedure activates or deactivates system services using the web console interface. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


PROCEDURE 


You can filter the services by name or description and also by Enabled, Disabled, or Static 
automatic startup. The interface shows the current state of the service and its recent 


logs. 


1. Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 


2. Click Services in the web console menu on the left. 


3. The default tab for Services is System Services. If you want to manage targets, sockets, timers, 
or paths, switch to the respective tab in the menu on top. 
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E mymachine System Services 


б сс 
Filter by name or дє ptio All = 
Overview 
vi Name Description State Automatic Startup 
Logs 
5% accounts-daemon Accounts Service active (running) Enabled 
Storage 
Net k alsa-restore Save/Restore Sound Card State inactive (dead) Static 
Networking 
Pod alsa-state Manage Sound Card State (restore and active (running) Static 
odman store) 
anaconda-direct the anaconda installation program inactive (dead) Static 
anaconda-nm-config Anaconda NetworkManager configuration inactive (dead) Static 
Services 
anaconda-noshell Restrict Anaconda Text Console inactive (dead) Static 


4. To open service settings, click on a selected service from the list. You can tell which services are 
active or inactive by checking the State column. 


5. Activate or deactivate a service: 


e То activate an inactive service, click the Start button. 
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Services > anaconda.service 


Anaconda : 


Status © Stati 


(D Not 


Disallow running (mask) 
Path — /usr/lib/ . | 'ice 


€ Todeactivate an active service, click the Stop button. 


Services > cockpit.service 


Cockpit Web Service  : 


Status © Static Restart 


© Running Active since May 
Stop 


Path — /usr/lib/systemd/system/c 


Disallow running (mask) 


7.2. RESTARTING SYSTEM SERVICES IN THE WEB CONSOLE 


This procedure restarts system services using the web console interface. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


PROCEDURE 
You can filter the services by name or description and also by Enabled, Disabled, or Static 


automatic startup. The interface shows the current state of the service and its recent 
logs. 


1. Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 
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2. Click Services in the web console menu on the left. 


3. The default tab for Services is System Services. If you want to manage targets, sockets, timers, 
or paths, switch to the respective tab in the menu on top. 


RED HAT ENTERPRISE LINUX A Example User © 


Е! тугпасһїпе System Services 


Name Description State Automatic Startup 


accounts-daemon Accounts Service active (running) Enabled 

alsa-restore Save/Restore Sound Card State inactive (dead) Static 

alsa-state Manage Sound Card State (restore and active (running) Static 

store) 

anaconda-direct the anaconda installation program inactive (dead) Static 
Accounts 

anaconda-nm-config Anaconda NetworkManager configuration inactive (dead) Static 
Services 

anaconda-noshell Restrict Anaconda Text Console inactive (dead) Static 


4. To open service settings, click on a selected service from the list. 


5. Torestart a service, click the Restart button. 


Services > cockpit.service 


Cockpit Web Service  : 
Status © Static 


© Running Active since May 


Stop 
Path /usr/lib/systemd/system/c 


Disallow running (mask) 
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CHAPTER 8. CONFIGURING NETWORK BONDS USING THE 
WEB CONSOLE 


Learn how network bonding works and configure network bonds in the RHEL 8 web console. 


NOTE 
The RHEL 8 web console is build on top of the NetworkManager service. 


For details, see Getting started with NetworkManager for managing networking. 


Prerequisites 


e The RHEL 8 web console installed and enabled. 
For details, see Installing the web console. 


8.1. UNDERSTANDING NETWORK BONDING 


Network bonding is a method to combine or aggregate network interfaces to provide a logical interface 
with higher throughput or redundancy. 


The active-backup, balance-tlb, and balance-alb modes do not require any specific configuration of 
the network switch. However, other bonding modes require configuring the switch to aggregate the 
links. For example, Cisco switches requires EtherChannel for modes O, 2, and 3, but for mode 4, the 
Link Aggregation Control Protocol (LACP) and EtherChannel are required. 


For further details, see the documentation of your switch and Linux Ethernet Bonding Driver HOWTO. 


IMPORTANT 


Certain network bonding features, such as the fail-over mechanism, do not support direct 
cable connections without a network switch. For further details, see the Is bonding 
supported with direct connection using crossover cables? KCS solution. 


8.2. BOND MODES 


In RHEL 8 there are several mode options. Each mode option is characterize by specific load balancing 
and fault tolerance. The behavior of the bonded interfaces depends upon the mode. The bonding 
modes provide fault tolerance, load balancing or both. 


Load balancing modes 


e Round Robin Sequentially transmit packets from the first available interface to the last one. 


Fault tolerance modes 


€ Active Backup: Only when the primary interface fails, one of a backup interfaces replaces it. 
Only a MAC address used by active interface is visible. 


e Broadcast All transmissions are sent on all interfaces. 
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NOTE 


Broadcasting significantly increases network traffic on all the bonded interfaces. 


Fault tolerance and load balancing modes 


XOR: The destination MAC addresses are distributed equally between interfaces with a modulo 
hash. Each interface then serves the same group of MAC addresses. 


802.3ad: Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups 
that share the same speed and duplex settings. Transmits and receives on all interfaces in the 
active aggregator. 


NOTE 


This mode requires a switch that is 802.3ad compliant. 


Adaptive transmit load balancing: The outgoing traffic is distributed according to the current 
load on each interface. Incoming traffic is received by the current interface. If the receiving 
interface fails, another interface takes over the MAC address of the failed one. 


Adaptive load balancing: Includes transmit and receive load balancing for IPv4 traffic. 
Receive load balancing is achieved through Address Resolution Protocol (ARP) negotiation, 
therefore, it is necessary to set Link Monitoring to ARP in the bond's configuration. 


8.3. ADDING A NEW BOND USING THE WEB CONSOLE 


Configure an active-backup bond on two or more network interfaces using the web console. 


Other network bond modes can be configured similarly. 


Prerequisites 


Two or more network cards are installed in the server. 


The network cards are connected to a switch. 


Procedure 


42 


1. 


Log in to the web console. 
For details, see Logging in to the web console . 


. Open Networking. 

. Click the Add Bond button. 

. In the Bond Settings dialog box, enter a name for the new bond. 

. In the Members field, select interfaces which should be a member of the bond. 


. [Optional] In the MAC drop down list, select a MAC address which will be used for this interface. 


If you leave the MAC field empty, the bond will get one of the addresses that are listed in the 
drop down list. 


. In the Mode drop down list, select the mode. 
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For details, see network bond modes 


8. If you select Active Backup, select the primary interface. 


MAC | E8:6A:64:04:9A:C2 - 
Mode | Active Backup v 
Primary | enpOs31f6 v 


9. In the Link Monitoring drop down menu, leave here the MII option. 
Only the adaptive load balancing mode requires to switch this option to ARP. 


10. The Monitoring Interval, Link up delay, and Link down delay fields, which contain values in 
milliseconds, leave as they are. Change it only for a troubleshooting purpose. 


1. Click Apply. 


Bond Settings 


Name | mybond 


Interfaces u 
(v епр0531#6 
{МЇ enp0p25b1 
_) virbro 
_) vnet1 
_) vnet2 
MAC | E8:6A:64:04:9A:C2 M 
Mode | Active Backup v 
Primary | епр0531#6 v 
Link Monitoring | MII (Recommended) v 


Monitoring Interval | 100 
Link up delay | 0 


Link down delay | 0 


Cancel Apply 


To verify that the bond works correctly, go to the Networking section and check if the Sending and 
Receiving columns in the Interfaces table display a network activity. 
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Interfaces Add Bond | Add Team | Add Bridge || Add VLAN 


10.253.16.25/24 46.6 Kbps 16.2 Kbps 
tuno 10.40.204.83/22 1.46 Kbps 2.59 Kbps 
мігрго 192.168.122.1/24 Мо саггіег 


8.4. ADDING INTERFACES TO THE BOND USING THE WEB CONSOLE 
Network bonds can include multiple interfaces and you can add or remove any of them at any time. 


Learn how to add a network interface to an existing bond. 


Prerequisites 


e Having a bond with multiple interfaces configured as described in Section 8.3, "Adding a new 
bond using the web console". 


Procedure 


1. Log in to the web console. 
For details, see Logging in to the web console . 


2. Open Networking. 

3. In the Interfaces table, click on the bond you want to configure. 

4. In the bond settings screen, scroll down to the table of members (interfaces). 
5. Click the * icon. 


6. Select the interface in the drop down list and click it. 


Members Sending Receiving ^ 
tuno 

enp0s31f6 561 bps 1000 bps 
virbrO 


vnet1 


o o 
= 2 


ens12 0 bps 0 bps 
vnet2 


wlp61s0 


The RHEL 8 web console adds the interface to the bond. 


8.5. REMOVING OR DISABLING AN INTERFACE FROM THE BOND 
USING THE WEB CONSOLE 


Network bonds can include multiple interfaces. If you need to change a device, you can remove or 
disable particular interfaces from the bond, which will work with the rest of the active interfaces. 


To stop using an interface included in a bond, you can: 


e Remove the interface from the bond. 
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e Disable the interface temporarily. The interface stays a part of the bond, but the bond will not 
use it until you enable it again. 


Prerequisites 


e Having a bond with multiple interfaces configured as described in Section 8.3, "Adding a new 
bond using the web console". 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open Networking. 
3. Click the bond you want to configure. 
4. In the bond settings screen, scroll down to the table of ports (interfaces). 


5. Select the interface and and remove or disable it: 


€ Click the -icon to remove the interface. 


€ Switch the ON/OFF button to Off. 


Members Sending Receiving * 


enp0s31f6 101 Kbps 3.63 Mbps m 


ens12 0 bps 0 bps € 


Based on your choice, the web console either removes or disables the interface from the bond and you 
can see it back in the Networking section as standalone interface. 


8.6. REMOVING OR DISABLING A BOND USING THE WEB CONSOLE 


Remove or disable a network bond using the web console. If you disable the bond, the interfaces stay in 
the bond, but the bond will not be used for network traffic. 


Prerequisites 


e There is an existing bond in the web console. 


Procedure 


1. Log in to the web console. 
For details, see Logging in to the web console . 


2. Open Networking. 
3. Click the bond you want to remove. 


4. In the bond settings screen, you can disable the bond with the ON/OFF button or click the 
Delete button to remove the bond permanently. 
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mybond Bond Е8:6А:64:04:9А:С2 


Status 10.253.16.25/24, fe80:0:0:0:de45:c6f6:8ddd:ef21/64 
Carrier Yes 
General (М Connect automatically 

IPv4 Automatic (DHCP) 

IPv6 Automatic 

MTU Automatic 


Bond Round Robin 


You can go back to Networking and verify that all the interfaces from the bond are now standalone 
interfaces. 
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CHAPTER 9. CONFIGURING NETWORK TEAMS USING THE 
WEB CONSOLE 


Learn how network bonding works, what are the differences between network teams and network bonds, 
and what are the possibilities of configuration in the web console. 


Additionally you can find guidelines for: 
€ Adding a new network team 
€ Adding new interfaces to an existing network team 
e Removing interfaces from an existing network team 


e Removing a network team 


Prerequisites 


e The RHEL 8 web console installed and enabled. 
For details, see Installing the web console. 


9.1. UNDERSTANDING NETWORK TEAMING 


Network teaming is a feature that combines or aggregates network interfaces to provide a logical 
interface with higher throughput or redundancy. 


Network teaming uses a kernel driver to implement fast handling of packet flows, as well as user-space 
libraries and services for other tasks. This way, network teaming is an easily extensible and scalable 
solution for load-balancing and redundancy requirements. 


IMPORTANT 


Certain network teaming features, such as the fail-over mechanism, do not support direct 
cable connections without a network switch. For further details, see 15 bonding supported 
with direct connection using crossover cables? 


9.2. COMPARISON OF NETWORK TEAMING AND BONDING FEATURES 


Learn about the features supported in network teams and network bonds: 


Feature Network bond Network team 
Broadcast Tx policy Yes Yes 
Round-robin Tx policy Yes Yes 
Active-backup Tx policy Yes Yes 
LACP (802.3ad) support Yes (active only) Yes 
Hash-based Tx policy Yes Yes 
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Feature Network bond Network team 
User can set hash function No Yes 

Tx load-balancing support (TLB) Yes Yes 

LACP hash port select Yes Yes 
Load-balancing for LACP support No Yes 
Ethtool link monitoring Yes Yes 

ARP link monitoring Yes Yes 
NS/NA (IPv6) link monitoring No Yes 

Ports up/down delays Yes Yes 

Port priorities and stickiness ("primary" option No Yes 
enhancement) 

Separate per-port link monitoring setup No Yes 
Multiple link monitoring setup Limited Yes 
Lockless Tx/Rx path No (rwlock) Yes (RCU) 
VLAN support Yes Yes 
User-space runtime control Limited Yes 

Logic in user-space No Yes 
Extensibility Hard Easy 
Modular design No Yes 
Performance overhead Low Very low 
D-Bus interface No Yes 
Multiple device stacking Yes Yes 

Zero config using LLDP No (in planning) 
NetworkManager support Yes Yes 
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9.3. ADDING A NEW TEAM USING THE WEB CONSOLE 


Configure a new active backup network team on two or more network interfaces using the web console. 


Prerequisites 


€ Two or more network cards installed on the server. 


€ The network cards are connected їо a switch. 


Procedure 


1. Log in to the web console. 
For details, see Logging in to the web console 


2. Goto the Networking tab. 
3. Click the Add Team button. 


4. |n the Team Settings area, configure parameters for the new team: 


a. Add a name for your team device to the Name field. 
b. In the Ports field, select all network interfaces you want to add to the team. 
c. In the Runner drop down menu, select the runner. 


d. In the Link Watch drop down menu select a link watcher. 


i. If you select Ethtool, additionally, set a link up delay and a link down delay. 
ii. If you select ARP Ping or NSNA Ping, additionally, set a ping interval and ping target. 


5. Click Apply 
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Team Settings 
Name myteam 
Ports 
enplsO 
vi enp7sO 
v епр850 
_) епр950 
Runner Active Backup М 
LinkWatch ^ Ethtool M 
Link up delay о 
Link down delay о 


Verification steps 


1. Go to the Networking tab and check if the Sending and Receiving columns in the Interfaces 
table display a network activity. 


Storage 
- Firewall e 
Networking 


PODES 1 Active Zone 


Containers 


Interfaces Add Bond || Add Team || Add Bridge || Add VLAN 


Name IP Address Sending Receiving 
enplsO 192168122.222/24 0.00938 Ьрѕ 3.95 bps 
enp9sO Inactive 

myteam 192168.122.250/24 3.52 bps 3.29 bps 


Additional resources 


€ Network team runners 


9.4. ADDING NEW INTERFACES TO THE TEAM USING THE WEB 
CONSOLE 


Network teams can include multiple interfaces and it is possible to add or remove any of them at any 
time. The following section describes how to add a new network interface to an existing team. 
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FIierequisites 


€ Anetwork team with is configured. 


Procedure 


1. Log in to the web console. 
For details, see Logging in to the web console . 


2. Switch to the Networking tab. 

3. In the Interfaces table, click on the team you want to configure. 
4. |n the team settings window, scroll down to the Ports table. 

5. Click on the + icon. 


6. Select the interface you wish to add from the drop down list. 


Ports Sending Receiving [*] 
enp7sO O bps O bps enp1sO 
enp8sO O bps O bps enp9s0 


The RHEL 8 web console adds the interface to the team. 


9.5. REMOVING OR DISABLING AN INTERFACE FROM THE TEAM 
USING THE WEB CONSOLE 


Network teams can include multiple interfaces. If you need to change a device, you can remove or 
disable particular interfaces from the network team, which will work together with the rest of active 
interfaces. 

There are two options how to stop using an interface included in a team: 


e Removing the interface from the team 


e Temporarily disabling the interface. The interface then stays a part of the team, but the team 
will not use it until you enable it again. 


Prerequisites 


€ Anetwork team with multiple interfaces exists on the host. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Switch to the Networking tab. 
3. Click the team you want to configure. 


4. |n the team settings window, scroll down to the table of ports (interfaces). 
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5. Select an interface and remove or disable it. 


a. Switch the ON/OFF button to Off to disable the interface. 


b. Click the - icon to remove the interface. 


Ports Sending Receiving + 


enp7sO O bps O bps eo (-] 
e 


епр850 О bps О bps 


Based on your choice, the web console either removes ог disables the interface. If you remove the 
interface, it will be available in Networking as a standalone interface. 


9.6. REMOVING OR DISABLING A TEAM USING THE WEB CONSOLE 


Remove or disable a network team using the web console. If you only disable the team, interfaces in the 
team will stay in it but the team will not be used for network traffic. 


Prerequisites 


€ Anetwork team is configured on the host. 


Procedure 


1. Log in to the web console. 
For details, see Logging in to the web console . 


2. Switch to the Networking tab. 
3. Click the team you wish to remove or disable. 


4. Remove or disable the selected team. 


a. You can remove the team by clicking the Delete button. 


b. You can disable the team by moving the ON/OFF switch to a disabled position. 


myteam Team 52:54:00:25:А9:70 


Verification steps 


e |fyouremoved the team, go to Networking, and verify that all the interfaces from your team are 
now listed as standalone interfaces. 
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CHAPTER 10. CONFIGURING NETWORK BRIDGES IN THE WEB 


CONSOLE 


Network bridges are used to connect multiple interfaces to the one subnet with the same range of IP 


addresses. 


Prerequisites 


e The RHEL 8 web console installed and enabled. 
For details, see Installing the web console. 


10.1. ADDING BRIDGES IN THE WEB CONSOLE 


Create a software bridge on multiple network interfaces using the web console. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open Networking. 


3. Click the Add Bridge button. 


E localhost.local... v 


Kbps Sending 
800 


Networking Firewall 


4 Active Rules 


Interfaces 


Name 


enp0s31f6 


Mbps Receiving 
12 


Add Bond || Add Team§ Add Bridge | Add VLAN 


Sending Receiving 


560 bps 1.06 Kbps 


4. In the Bridge Settings dialog box, enter a name for the new bridge. 


5. In the Port field, select interfaces which you want to put to the one subnet. 


6. Optionally, you can select the Spanning Tree protocol (STP) to avoid bridge loops and 


broadcast radiation. 


If you do not have a strong preference, leave the predefined values as they are. 
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Bridge Settings 


Name | bridgeO 


Ports | (4 enpOs31f6 
| Jtuno 

| JvirbrO 

м vneto 


м vnet1 


_) wlp61s0 


Spanning Tree Protocol (STP) м 
STP Priority | 32768 
STP Forward delay | 15 
STP Hello time | 2 


STP Maximum message age | 20 


Cancel Apply 


7. Click Create. 


If the bridge is successfully created, the web console displays the new bridge in the Networking section. 
Check values in the Sending and Receiving columns in the new bridge row. 


Interfaces Add Bond | Add Team | Add Bridge | Add VLAN 
Name IP Address Sending Receiving 

virbro 192.168.122.1/24 No carrier 

wip61s0 10.253.16.39/24 0 bps 0 bps 


If you can see that zero bytes are sent and received through the bridge, the connection does not work 
correctly and you need to adjust the network settings. 


10.2. CONFIGURING A STATIC IP ADDRESS IN THE WEB CONSOLE 


IP address for your system can be assigned from the pool automatically by the DHCP server or you can 
configure the IP address manually. The IP address will not be influenced by the DHCP server settings. 


Learn how to configure static IPv4 addresses of a network bridge using the RHEL web console. 


Procedure 


54 


CHAPTER 10. CONFIGURING NETWORK BRIDGES IN THE WEB CONSOLE 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open the Networking section. 


3. Click the interface where you want to set the static IP address. 


E localhost.local... v 


Kbps Sending Kbps Receiving 
800 800 
00 00 
А - à РА 0 Да ғара М шь 
10:29 10:30 10:31 10:32 10:29 10:30 10:31 10:32 
Storage 
Networking Firewall 


Accounts 
4 Active Rules 


Interfaces Add Bond || Add Team | Add Bridge || Add VLAN 


Name IP Address Sending Receiving 
bridgeO 10.253.16.25/24 336 bps 2.24 Kbps 
virbro 192.168.122.1/24 No carrier 


wip61s0 10.253.16.39/24 0 bps 


4. In the interface details screen, click the IPv4 configuration. 


10.253.16.25/24, fe80:0:0:0:7813:2486:f2d0:92ad/64 
Yes 


(м Connect automatically 


Pv4 Automatic (DHCP) 


Pv6 Automatic 


TU Automatic 


5. In the IPv4 Settings dialog box, select Manual in the Addresses drop down list. 


55 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


IPv4 Settings 


Addresses Automatic (DHCP) ~ 


Automatic (DHCP) 


Shared 
DNS Search Domains Disabled 


Automatic 
Cancel Apply 


6. Click Apply. 
7. In the Addresses field, enter the desired IP address, netmask and gateway. 


IPv4 Settings 


Addresses Manual ~ + 


192.168.122.3 255.255.255.0 192.168.122.1| | = 
DNS Automatic ES + 


DNS Search Domains Automatic | ON | + 


Routes Automatic Eg + 
Cancel Apply 


8. Click Apply. 


At this point, the IP address has been configured and the interface uses the new static IP address. 
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Pv4 Address 192.168.122.3/24 via 192.168.122.1 


Automatic 


MTU Automatic 


10.3. REMOVING INTERFACES FROM THE BRIDGE USING THE WEB 
CONSOLE 


Network bridges can include multiple interfaces. You can remove them from the bridge. Each removed 
interface will be automatically changed to the standalone interface. 


Learn how to remove a network interface from a software bridge created in the RHEL 8 system. 


Prerequisites 


e Having a bridge with multiple interfaces in your system. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open Networking. 


3. Click the bridge you want to configure. 


E localhost.local... v f 
Kbps Sending Kbps Receiving 


800 800 


10:29 10:30 10:31 10:32 10:29 10:30 10:31 10:32 


Storage 
Networking Firewall 


Accounts 
4 Active Rules 

Interfaces Add Bond || Add Team | Add Bridge || Add VLAN 
Name IP Address Sending Receiving 

bridgeO 10.253.16.25/24 336 bps 2.24 Kbps 


virbro 192.168.122.1/24 No carrier 


wip61s0 10.253.16.39/24 0 bps 


4. In the bridge settings screen, scroll down to the table of ports (interfaces). 


Ports Sending Receiving + 
enp0s31f6 0 bps 0 bps z 
vneto 0 bps 0 bps - 
vnet1 0 bps 0 bps ES em 
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5. Select the interface and click the - icon. 


The RHEL 8 web console removes the interface from the bridge and you can see it back in the 
Networking section as standalone interface. 


10.4. DELETING BRIDGES IN THE WEB CONSOLE 


You can delete a software network bridge in the RHEL web console. All network interfaces included in 
the bridge will be changed automatically to standalone interfaces. 


Prerequisites 


e Having a bridge in your system. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open the Networking section. 


3. Click the bridge you want to configure. 


E localhost.local... v 


Kbps Sending Kbps Receiving 
800 800 


400 400 


10:29 10:30 10:31 10:32 10:29 10:30 10:31 10:32 


Firewall 


4 Active Rules 


Interfaces Add Bond || Add Team Add Bridge || Add VLAN 


Name 


bridgeO 


virbro 


wip61s0 


IP Address 


10.253.16.25/24 


192.168.122.1/24 


10.253.16.39/24 


Sending 


336 bps 


No carrier 


0 bps 


Receiving 


2.24 Kbps 


4. In the bridge settings screen, scroll down to the table of ports. 


Ports Sending Receiving - 

enp0s31f6 0 bps 0 bps = 

vneto 0 bps 0 bps = 

vnet1 0 bps 0 bps ES = 
5. Click Delete. 


At this stage, go back to Networking and verify that all the network interfaces are displayed on the 
Interfaces tab. Interfaces which were part of the bridge can be inactive now. Therefore, you may need to 
activate them and set network parameters manually. 


58 


Interfaces 


Name 
enp0s31f6 
сипо 
virbro 
vneto 


vnet1 
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IP Address 


10.253.16.25/24 


10.40.205.17/22 


192.168.122.1/24 


| Add Bond | Add Team | Add Bridge || Add VLAN | 


Sending Receiving 
1.12 Kops 1.60 Kbps 
0 bps 0 bps 

No carrier 

Inactive 

Inactive 
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CHAPTER 11. CONFIGURING VLANS IN THE WEB CONSOLE 


VLANs (Virtual LANs) are virtual networks created on a single physical Ethernet interface. Each VLAN is 
defined by an ID which represents a unique positive integer and works as a standalone interface. 


Learn how to create VLANs in the RHEL web console. 


Prerequisites 


e The RHEL 8 web console installed and enabled. 
For details, see Installing the web console. 


e Having a network interface in your system. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Open Networking. 


3. Click Add VLAN button. 


E localhost.local... v 


Kbps Sending Mbps Receiving 
800 12 


Networking Firewall 


4 Active Rules 


Interfaces Add Bond Add Team || Add Zr 


Name IP Address Sending Receiving 


enpOs31f6 10.253.16.25/24 560 bps 1.06 Kbps 


4. Inthe VLAN Settings dialog box, select the physical interface for which you want to create a 
VLAN. 


5. Enter the VLAN Id or just use the predefined number. 


6. In the Name field, you can see a predefined name consisted of the parent interface and VLAN 
Id. If itis not necessary, leave the name as it is. 


VLAN Settings 


Parent | enpOs31f6 M 
VLAN Id | 1 


Name | enpOs31f6.1 


Cancel Apply 
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7. Click Apply. 
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The new VLAN has been created and you need to click at the VLAN and configure the network settings. 


Interfaces 


Name IP Address 


enp0s31f6 10.253.16.25/24 


enp0s31f6.1 


tuno 10.40.204.27/22 
virbro 192.168.122.1/24 
wip61s0 10.253.16.39/24 


| Add Bond | Add Team | Add Bridge | Add VLAN 


Sending Receiving 
7.66 Kbps 5.47 Kbps 


Configuring IP 


0 bps 0 bps 
0 bps 0 bps 
0 bps 0 bps 
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CHAPTER 12. CONFIGURING THE WEB CONSOLE LISTENING 
PORT 


Learn how to allow new ports or change the existing ports using the RHEL web console. 


Prerequisites 


e The RHEL 8 web console installed and enabled. 
For details, see Installing the web console. 


12.1. ALLOWING A NEW PORT ON A SYSTEM WITH ACTIVE SELINUX 


Enable the web console to listen on a selected port. 


Prerequisites 


e The web console must be installed and accessible. For details, see Installing the web console. 


Procedure 


€ For ports that are not defined by any other part of SELinux, run: 

| $ sudo semanage port -a -t websm_port_t -p tcp PORT NUMBER 
€ For ports that already are defined by other part of SELinux, run: 

| $ sudo semanage port -m -t websm port t -p tco PORT NUMBER 


The changes should take effect immediately. 


12.2. ALLOWING A NEW PORT ON A SYSTEM WITHFIREWALLD 


Enable the web console to receive connections on a new port. 


Prerequisites 
e The web console must be installed and accessible. For details, see Installing the web console. 


e The firewalld service must be running. 


Procedure 


1 Toadda new port number, run the following command: 
| $ sudo firewall-cmd --permanent --service cockpit --add-port=PORT_NUMBER/tcp 
2. To remove the old port number from the cockpit service, run: 


| $ sudo firewall-cmd --permanent --service cockpit --remove-port=OLD_PORT_NUMBER/tcp 
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IMPORTANT 


If you only run the firewall-cmd --service cockpit --add-portZPORT NUMBER/tcp 
without the --permanent option, your change will be canceled with the next reload of 
firewalld or a system reboot. 


12.3. CHANGING THE WEB CONSOLE PORT 


Change default transmission control protocol (TCP) on port 9090 to a different one. 


Prerequisites 
e The web console must be installed and accessible. For details, see Installing the web console. 


e |fyouhave SELinux protecting your system, you need to set it to allow Cockpit to listen on a new 
port. For more information, see Allowing a new port on a system with active SELinux . 


e If you have firewalld configured as your firewall, you need to set it to allow Cockpit receive 


connections on a new port, for more information, see Allowing a new port on a system with 
firewalld. 


Procedure 
1. Change the listening port with one of the following methods: 
a. Using the systemctl edit cockpit.socket command: 


i. Run the following command: 
| $ sudo systemctl edit cockpit.socket 


This will open the /etc/systemd/system/cockpit.socket.d/override.conf file. 


ii. Modify the content of override.conf or add a new content in the following format: 


[Socket] 
ListenStream= 
ListenStream-PORT NUMBER 


b. Alternatively, add the above mentioned content to the 
letc/systemd/system/cockpit.socket.d/listen.conf file. 
Create the cockpit.socket.d. directory and the listen.conf file if they do not exist yet. 


2. Run the following commands for changes to take effect: 


$ sudo systemctl daemon-reload 
$ sudo systemctl restart cockpit.socket 


If you used systemctl edit cockpit.socket in the previous step, running systemctl daemon- 
reload is not necessary. 


Verification steps 


€ To verify that the change was successful, try to connect to the web console with the new port. 
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CHAPTER 13. MANAGING FIREWALL USING THE WEB 
CONSOLE 


A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to 
control incoming network traffic on host machines by defining a set of firewall rules. These rules are used 
to sort the incoming traffic and either block it or allow through. 


Prerequisites 


e The RHEL 8 web console configures the firewalld service. 
For details about the firewalld service, see Getting started with firewalld. 


13.1. RUNNING FIREWALL USING THE WEB CONSOLE 


This section describes where and how to run the RHEL 8 system firewall in the web console. 


NOTE 


The RHEL 8 web console configures the firewalld service. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Open the Networking section. 


3. In the Firewall section, click ON to run the firewall. 


server2 
Е Mbps Sending Kbps Receiving 
3.20 800 


4:00 14:0 4:00 4:0 4:02 4:03 4:04 
Firewall 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administration privileges. 
At this stage, your firewall is running. 


To configure firewall rules, see Section 13.6, "Enabling services on the firewall using the web console" . 


13.2. STOPPING FIREWALL USING THE WEB CONSOLE 


This section describes where and how to stop the RHEL 8 system firewall in the web console. 


NOTE 


The RHEL 8 web console configures the firewalld service. 
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Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Open the Networking section. 


3. In the Firewall section, click OFF to stop it. 
EJ SENE Mbps Sending Kbps Receiving 
3.20 800 


1.60 400 


14:00 14:0 4:02 4:03 4:04 4:00 
Firewall 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administration privileges. 


At this stage, the firewall has been stopped and does not secure your system. 


13.3. ZONES 


firewalld can be used to separate networks into different zones according to the level of trust that the 
user has decided to place on the interfaces and traffic within that network. A connection can only be 
part of one zone, but a zone can be used for many network connections. 


NetworkManager notifies firewalld of the zone of an interface. You can assign zones to interfaces with: 
e NetworkManager 
e firewall-config tool 
e firewall-cmd command-line tool 
e The RHEL web console 


The latter three can only edit the appropriate NetworkManager configuration files. If you change the 
zone of the interface using the web console, firewall-cmd or firewall-config, the request is forwarded 
to NetworkManager and is not handled by firewalld. 


The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied 
to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only 
after they are modified. The default settings of the predefined zones are as follows: 


block 


Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and 
icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are 
possible. 


dmz 


For computers in your demilitarized zone that are publicly-accessible with limited access to your 
internal network. Only selected incoming connections are accepted. 


drop 
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Any incoming network packets are dropped without any notification. Only outgoing network 
connections are possible. 


external 


For use on external networks with masquerading enabled, especially for routers. You do not trust the 
other computers on the network to not harm your computer. Only selected incoming connections are 
accepted. 


home 


For use at home when you mostly trust the other computers on the network. Only selected incoming 
connections are accepted. 


internal 


For use on internal networks when you mostly trust the other computers on the network. Only 
selected incoming connections are accepted. 


public 


For use in public areas where you do not trust other computers on the network. Only selected 
incoming connections are accepted. 


trusted 
All network connections are accepted. 
Work 


For use at work where you mostly trust the other computers on the network. Only selected incoming 
connections are accepted. 


One of these zones is set as the default zone. When interface connections are added to 
NetworkManager, they are assigned to the default zone. On installation, the default zone іп firewalld is 
set to be the public zone. The default zone can be changed. 


NOTE 


The network zone names should be self-explanatory and to allow users to quickly make a 
reasonable decision. To avoid any security problems, review the default zone 
configuration and disable any unnecessary services according to your needs and risk 
assessments. 


Additional resources 


€ The firewalld.zone(5) man page. 


13.4. ZONES IN THE WEB CONSOLE 


IMPORTANT 


Firewall zones are new in the RHEL 8.1.0 Beta. 


The Red Hat Enterprise Linux web console implements major features of the firewalld service and 
enables you to: 


€ Add predefined firewall zones to a particular interface or range of IP addresses 
e Configure zones with selecting services into the list of enabled services 


e Disable a service by removing this service from the list of enabled service 
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Remove a zone from an interface 


13.5. ENABLING ZONES USING THE WEB CONSOLE 


The web console enables you to apply predefined and existing firewall zones on a particular interface or 
arange of IP addresses. This section describes how to enable a zone on an interface. 


Prerequisites 


The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


The firewall must be enabled. 
For details, see Section 13.1, "Running firewall using the web console". 


Procedure 


1. 


2. 


Э. 


Log in to the RHEL web console with administration privileges. 
For details, see Logging in to the web console . 


Click Networking. 


Click on the Firewall box title. 


server2 
EJ Mbps Sending Kbps Receiving 
3.2 800 


4:00 14 4:00 02 4:04 
Networking Firewall 
Accounts 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administrator privileges. 


. In the Firewall section, click Add Services. 
. Click on the Add Zone button. 


. In the Add Zone dialog box, select a zone from the Trust level scale. 


You can see here all zones predefined in the firewalld service. 


. In the Interfaces part, select an interface or interfaces on which the selected zone is applied. 


. In the Allowed Addresses part, you can select whether the zone is applied on: 


ө the whole subnet 


e orarange of IP addresses in the following format: 


o 192.168.1.0 
o 192.168.1.0/24 


о 192.168.1.0/24, 192.168.1.0 
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9. Click on the Add zone button. 


Add Zone 


Trust level Sorted from least trusted to most trusted Custom zones 


Public External DMZ Work Home Internal Public 


Description For use in home areas. You mostly trust the other computers on networks to 
not harm your computer. Only selected incoming connections are accepted. 


Included services ssh, mdns, samba-client, dhcpv6-client 


Interfaces (м enp0s31f6 (_} virbro 


Allowed Addresses (® Entire subnet 


© Range 


Verify the configuration in Active zones. 


Active zones 


libvirt virbrO 


Public v default 


13.6. ENABLING SERVICES ON THE FIREWALL USING THE WEB 
CONSOLE 


By default, services are added to the default firewall zone. If you use more firewall zones on more 
network interfaces, you must select a zone first and then add the service with port. 


The RHEL 8 web console displays predefined firewalld services and you can add them to active firewall 
zones. 


IMPORTANT 
The RHEL 8 web console configures the firewalld service. 


The web console does not allow generic firewalld rules which are not listed in the web 
console. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 
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e The firewall must be enabled. 
For details, see Section 13.1, "Running firewall using the web console". 
Procedure 


1. Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 


2. Click Networking. 


3. Click on the Firewall box title. 


server2 
E Mbps Sending Kbps Receiving 
3.20 800 


1.60 400 


4:00 4 4:02 4:03 4:04 4 
Networking Firewall 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administrator privileges. 


4. In the Firewall section, click Add Services. 


Ыл Active zones 


libvirt virbro 


Public vdefault 


Allowed Services 


Public 


libvirt 


DHCPv6 libvirt Go 


DHCPv6 Client Public 


5. In the Add Services dialog box, select a zone for which you want to add the service. 
The Add Services dialog box includes a list of active firewall zones only if the system includes 
multiple active zones. 


If the system uses just one (the default) zone, the dialog does not include zone settings. 
6. In the Add Services dialog box, find the service you want to enable on the firewall. 


7. Enable desired services. 
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Add Services 


Add services to following zones: 


С] libvirt (_} Public (default) 


(€) Services 
Filter Services | FreelPA 


FreelPA with LDAPS 
TCP: 80, 443, 88, 464,636 UDP:88, 464, 123 


FreelPA replication 
TCP: 7389 


FreelPA trust setup 
TCP: 135. 138-139. 389, 445, 1024-1300. 3268 UDP: 138-139. 389, 445 


(_) Custom Ports 


Cancel Add Services 


8. Click Add Services. 


At this point, the RHEL 8 web console displays the service in the list of Allowed Services. 


13.7. CONFIGURING CUSTOM PORTS USING THE WEB CONSOLE 


The web console allows you to add: 


€ Services listening on standard ports: Section 13.6, "Enabling services on the firewall using the 
web console" 


€ Services listening on custom ports. 


This section describes how to add services with custom ports configured. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The firewall must be enabled. 
For details, see Section 13.1, "Running firewall using the web console". 


Procedure 
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1. Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 


2. Click Networking. 


3. Click on the Firewall box title. 


server2 
E Mbps Sending Kbps Receiving 
3.20 800 


1.60 400 


Networking Firewall 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administration privileges. 


4. In the Firewall section, click Add Services. 


Fy server2 Active zones 


libvirt virbro 


Storage 


Public vdefault 


Allowed Services 


Networking 


Applications Public 
Diagnostic Reports 
Ше 


DHCPv6 libvirt 


DHCPv6 Client Public 


Kernel Dump 
te п 


5. In the Add Services dialog box, select a zone for which you want to add the service. 
The Add Services dialog box includes a list of active firewall zones only if the system includes 
multiple active zones. 


If the system uses just one (the default) zone, the dialog does not include zone settings. 
6. In the Add Ports dialog box, click on the Custom Portsradio button. 


7. In the TCP and UDP fields, add ports according to examples. You can add ports in the following 
formats: 


e Port numbers such as 22 
e Range of port numbers such as 5900-5910 


€ Aliases such as nfs, rsync 
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NOTE 


You can add multiple values into each field. Values must be separated with the 
"^ comma and without the space, for example: 8080,8081,http 


8. After adding the port number in the TCP and/or UDP fields, verify the service name in the 
Name field. 


The Name field displays the name of the service for which is this port reserved. You can rewrite 
the name if you are sure that this port is free to use and no server needs to communicate on this 
port. 

9. Inthe Name field, add a name for the service including defined ports. 


10. Click on the Add Ports button. 


Add Ports 


Add ports to the following zones: 


( ]libvirt (v Public (default) 


© Services 
(€) Custom Ports 
Comma-separated ports, ranges, and aliases are accepted 
TCP | 8081 


UDP | Example: 88,2019 


Name | My Web Server 


Cancel Add Ports 


To verify the settings, go to the Firewall page and find the service in the list of Allowed Services. 


Allowed Services 


libvirt 
libvirt 


libvirt 


My Web Server public 


SSH libvirt 


13.8. DISABLING ZONES USING THE WEB CONSOLE 
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This section describes how to disable a firewall zone in your firewall configuration using the web console. 


Prerequisites 
e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 
Procedure 


1. Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 


2. Click Networking. 


3. Click on the Firewall box title. 


server2 
EJ Mbps Sending Kbps Receiving 
3.20 800 


1.60 400 


4:00 14 4:02 4:03 4:04 4:00 


12 Active Rules 


If you do not see the Firewall box, log in to the web console with the administrator privileges. 


4. On the Active zones table, click on the Delete icon at the zone you want to remove. 


Active zones 


libvirt virbrO 


Public wv default 


The zone is now disabled and the interface does not include opened services and ports which were 
configured in the zone. 
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CHAPTER 14. APPLYING A GENERATED ANSIBLE PLAYBOOK 


When troubleshooting issues with SELinux, the web console is able to generate a shell script or an 
Ansible playbook that you can then export and apply for more machines. 
Prerequisites 
e The web console interface needs to be installed and accessible. 
For details, see Installing the web console. 
Procedure 


1. Click SELinux. 


2. Click "View the automation script" on the upper right side. 
A window with the generated script opens. You can navigate between a shell script and an 
Ansible playbook generation options tab. 


Automation Script 


Shell Script |Ansible | 
- name: Allow virt to sandbox use all caps 
seboolean: 
name: virt sandbox use all caps 
state: yes 
persistent: yes 


- name: Allow virt to use nfs 
seboolean: 
name: virt use nfs 
state: yes 
persistent: yes 


Q Create new task file with this content. (7 Ansible roles documentation 


E Copy to clipboard 


3. Click the Copy to clipboard button to select the script or playbook and apply it. 


As a result, you have an automation script that you can apply to more machines. 


Additional resources 


e Troubleshootng problems related to SELinux 
e Deploying the same SELinux configuration on multiple systems 


€ Fordetails about the ansible-playbook command, see the ansible-playbook(1) man page. 
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CHAPTER 15. MANAGING PARTITIONS USING THE WEB 
CONSOLE 


Learn how to manage file systems on RHEL 8 using the web console. 


For details about the available file systems, see the Overview of available file systems. 


15.1. DISPLAYING PARTITIONS FORMATTED WITH FILE SYSTEMS IN 
THE WEB CONSOLE 


The Storage section in the web console displays all available file systems in the Filesystems table. 


This section navigates you to get to the list of partitions formatted with file systems displayed in the 
web console. 


Prerequisites 


e The cockpit-storaged package is installed on your system. 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Click on the Storage tab. 


In the Filesystems table, you can see all available partitions formatted with file systems, its name, size 
and how much space is available on each partition. 


RED HAT ENTERPRISE LINUX 


clienti 
Е KiB/s Reading KiB/s Writing 
96 


Logs 
Storage 
Networking Filesystems 

Name Mount Point 

/dev/rhel/root / 11.8/17.0 GIB 


Applications /dev/sda1 290 / 1014 MiB 


15.2. CREATING PARTITIONS IN THE WEB CONSOLE 


To create a new partition: 


€ Usean existing partition table 
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€ Create a partition 


Storage » /dev/sdb 


Block 
-apacity 500 GiB 
Device File /dev/sdb 
Content Create partition table 
500 GiB Free Space Create Partition 


Prerequisites 


e The cockpit-storaged package is installed on your system. 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


e Anunformatted volume connected to the system visible in the Other Devicestable of the 
Storage tab. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Click the Storage tab. 

3. In the Other Devicestable, click a volume in which you want to create the partition. 
4. In the Content section, click the Create Partition button. 

5. In the Create partition dialog box, select the size of the new partition. 


6. In the Erase drop down menu, select: 


e Don’t overwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole disk with 
zeros. This option is slower because the program has to go through the whole disk, but it is 
more secure. Use this option if the disk includes any data and you need to overwrite it. 


7. In the Type drop down menu, select a file system: 


e XFS file system supports large logical volumes, switching physical drives online without 
outage, and growing an existing file system. Leave this file system selected if you do not 
have a different strong preference. 


€ ext4 file system supports: 
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o Logical volumes 

o Switching physical drives online without outage 
o Growing a file system 

o Shrinking a file system 


Additional option is to enable encryption of partition done by LUKS (Linux Unified Key Setup), 
which allows you to encrypt the volume with a passphrase. 


8. In the Name field, enter the logical volume name. 


9. In the Mounting drop down menu, select Custom. 
The Default option does not ensure that the file system will be mounted on the next boot. 


10. In the Mount Point field, add the mount path. 
Tl. Select Mount at boot. 
12. Click the Create partition button. 


Create partition on /dev/sdb 


500 | GiB 
Don't overwrite existing data 
XFS - Red Hat Enterprise Linux 7 default 
Name | Partition 1 
Mounting | Custom v 
Mount options [M] Mount at boot 
[_) Mount read only 


[_) Custom mount options 


Cancel Create partition 


Formatting can take several minutes depending on the volume size and which formatting 
options are selected. 


After the formatting has completed successfully, you can see the details of the formatted 
logical volume on the Filesystem tab. 


To verify that the partition has been successfully added, switch to the Storage tab and check the 
Filesystems table. 
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Filesystems 


Name Mount Point Size 


Idev/rhel/root / [ШО 12.1/17.0 GiB 


/dev/sda1 /boot 290 / 1014 MiB 


Partition 1 /media 500 GiB 


15.3. DELETING PARTITIONS IN THE WEB CONSOLE 


This paragraph is the procedure module introduction: a short description of the procedure. 


Prerequisites 


e The cockpit-storaged package is installed on your system. 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


€ Unmount the partition's file system. 
For details about mounting and unmounting partitions, see Section 15.4, "Mounting and 
unmounting file systems in the web console". 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Click on the Storage tab. 
3. In the Filesystems table, select a volume in which you want to delete the partition. 


4. In the Content section, click on the partition you want to delete. 


Content 
› 512 MIB ext4 File System /dev/nvmeOn1p1 
› 32 GIB Encrypted data /dev/nvme0n1p2 
> 32.0 СІВ ext4 File System /dev/mapper/luks-20bca9d6-0fb1-4bb8-8643-5f915415dea8 
› 8.00 GiB Encrypted data /dev/nvme0n1p3 
> 8 GIB Swap Space /dev/mapper/luks-01afed46-ab21-4037-8927-6c01a7ae1dcO 
> 198 GIB Extended Partition /dev/nvme0n1p4 
> 198 СІВ Encrypted data /dev/nvmeOn1p5 
› 198 GiB ext4 File System /dev/mapper/luks-913540eb-284e-4e56-8158-572e6f4e8cfe 


5. The partition rolls down and you can click on the Delete button. 


78 


CHAPTER 15. MANAGING PARTITIONS USING THE WEB CONSOLE 


м 198 СІВ Extended Partition /dev/nvme0n1p4 
Partition Unrecognized Data 
Name - 
Size 198 GiB 


JUID a98632eb-04 
Type 0x05 


The partition must not be mounted and used. 


To verify that the partition has been successfully removed, switch to the Storage tab and check the 
Content table. 


15.4. MOUNTING AND UNMOUNTING FILE SYSTEMS IN THE WEB 
CONSOLE 


To be able to use partitions on RHEL systems, you need to mount a filesystem on the partition as a 
device. 


NOTE 


You also can unmount a file system and the RHEL system will stop using it. Unmounting 
the file system enables you to delete, remove, or re-format devices. 


Prerequisites 


e The cockpit-storaged package is installed on your system. 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


€ |fyou want to unmount a file system, ensure that the system does not use any file, service, or 
application stored in the partition. 


Procedure 


1. Log in to the RHEL web console. 
For details, see Logging in to the web console . 


2. Click on the Storage tab. 
3. In the Filesystems table, select a volume in which you want to delete the partition. 
4. |n the Content section, click on the partition whose file system you want to mount or unmount. 


5. Click on the Mount or Unmount button. 
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v 198 GiB ext4 File System /dev/mapper/luks-913540eb-284e-4e56-8158-572e6f4e8cfe 


Filesystem 


Format 
Name FormattedPartition 


Mount Point /FormattedPartition 


Mount Options defaults,x-systemd.device-timeout=0 


Mounted At /FormattedPartition 


Used 115 GiB of 194 GiB 


At this point, the file system has been mounted or unmounted according to your action. 
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CHAPTER 16. MANAGING NFS MOUNTS IN THE WEB 
CONSOLE 


The RHEL 8 web console enables you to mount remote directories using the Network File System (NFS) 
protocol. 


NFS makes it possible to reach and mount remote directories located on the network and work with the 
files as if the directory was located on your physical drive. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 
e NFS server name or IP address. 


e Path to the directory on the remote server. 


16.1. CONNECTING NFS MOUNTS IN THE WEB CONSOLE 


Connect a remote directory to your file system using NFS. 


Prerequisites 


ө NFS server name or IP address. 


e Path to the directory on the remote server. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Storage. 


3. Click + in the NFS mounts section. 


NFS Mounts 


Server Mount Point Size 


10.253.16.5 /volume1/movie /mnt/movie pm 1.51 / 3.49 ТІВ 


4. Inthe New NFS Mount dialog box, enter the server or IP address of the remote server. 
5. In the Path on Serverfield, enter the path to the directory you want to mount. 


6. In the Local Mount Point field, enter the path where you want to find the directory in your local 
system. 


7. Select Mount at boot. This ensures that the directory will be reachable also after the restart of 
the local system. 
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8. Optionally, select Mount read only if you do not want to change the content. 


New NFS Mount 


fileserver.example.com 
/volume'/videotutorials 
/mnt/tutorials 


ins (М Mount at boot 


(М Mount read only 


— Custom mount option 


Cancel Add 


9. Click Add. 


At this point, you can open the mounted directory and verify that the content is accessible. 


Server Mount Point Size 


10.253.16.5 /volumel/vid.. —/mnt/tutorial [eer 1.51 / 3.49 ТІВ 


To troubleshoot the connection, you can adjust it with the Custom Mount Options. 


16.2. CUSTOMIZING NFS MOUNT OPTIONS IN THE WEB CONSOLE 
Edit an existing NFS mount and add custom mount options. 


Custom mount options can help you to troubleshoot the connection or change parameters of the NFS 
mount such as changing timeout limits or configuring authentication. 


Prerequisites 


e NFS mount added. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Storage. 
3. Click on the NFS mount you want to adjust. 


4. |f the remote directory is mounted, click Unmount. 
The directory must not be mounted during the custom mount options configuration. Otherwise 
the web console does not save the configuration and this will cause an error. 
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10.253.16.5:/volume1/movie E 


Server 10.253.16.5:/volume1/movie 


Mount Point /mnt/movie 


Size [ОООО 1.52 / 3.49 TiB 


5. Click Edit. 


10.253.16.5:/volume1/movie Unmount Remove 


Server 10.253.16.5:/volume1/movie 


Mount Point /mnt/movie 


Size EUN 1.52 / 3.49 ТІВ 


6. In the NFS Mount dialog box, select Custom mount option. 


7. Enter mount options separated by a comma. For example: 


e nfsvers=4 — the NFS protocol version number 
e soft— type of recovery after an NFS request times out 


e sec-krb5 — files on the NFS server can be secured by Kerberos authentication. Both the 
NFS client and server have to support Kerberos authentication. 


NFS Mount 


Server Address | fileserver.example.com 


Path on Server | /volume1/movie 
Local Mount Point | /mnt/movie 
Mount Options (М Mount at boot 


[М Mount read оп! 


(V| custom mount option | nfsvers=4,soft,sec=krb5 


Cancel Apply 


For a complete list of the NFS mount options, enter man nfs in the command line. 


8. Click Apply. 


9. Click Mount. 
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Now you can open the mounted directory and verify that the content is accessible. 


NFS Mounts 


Server Mount Point Size 


10.253.16.5 /volumel/vid.. —/mnt/tutorial [cm —— 1.51 / 3.49 ТЇВ 


84 


CHAPTER 17. MANAGING REDUNDANT ARRAYS OF INDEPENDENT DISKS IN THE WEB CONSOLE 


CHAPTER 17. MANAGING REDUNDANT ARRAYS OF 
INDEPENDENT DISKS IN THE WEB CONSOLE 


Redundant Arrays of Independent Disks (RAID) represents a way how to arrange more disks into one 
storage. RAID protects data stored in the disks against disk failure. 


RAID uses the following data distribution strategies: 


e Mirroring — data are copied to two different locations. If one disk fails, you have a copy and your 
data is not lost. 


e Striping — data are evenly distributed among disks. 
Level of protection depends on the RAID level. 
The RHEL web console supports the following RAID levels: 
€ RAID O (Stripe) 
€ RAID 1 (Mirror) 
e RAID 4 (Dedicated parity) 
e RAID 5 (Distributed parity) 
e RAID 6 (Double Distributed Parity) 
e RAID 10 (Stripe of Mirrors) 
Before you can use disks in RAID, you need to: 
e Create а RAID. 
ө Format it with file system. 


e Mount the RAID to the server. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


e The RHEL 8 web console is running and accessible. 
For details, see Installing the web console. 


17.1. CREATING RAID IN THE WEB CONSOLE 


Configure RAID in the RHEL 8 web console. 


Prerequisites 


€ Physical disks connected to the system. Each RAID level requires different amount of disks. 
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Procedure 


1. 


2. 


Open the RHEL 8 web console. 


Click Storage. 


. Click the * icon in the RAID Devices box. 


RAID Devices 


No storage set up as RAID 


. In the Create RAID Devicedialog box, enter a name for a new RAID. 
. In the RAID Level drop-down list, select a level of RAID you want to use. 


. In the Chunk Size drop-down list, leave the predefined value as it is. 


The Chunk Size value specifies how large is each block for data writing. If the chunk size is 512 
KiB, the system writes the first 512 KiB to the first disk, the second 512 KiB is written to the 
second disk, and the third chunk will be written to the third disk. If you have three disks in your 
RAID, the fourth 512 KiB will be written to the first disk again. 


. Select disks you want to use for RAID. 


Create RAID Device 


Name | тугаід5 
RAID Level | RAID 5 (Distributed Parity) x 
Chunk Size | 512 KiB M 
Disks | Q4 20 MiB QEMU HARDDISK(DISK1) /дем/ѕда1 
(М 20 MiB QEMU HARDDISK(DISK2) /dev/sdb1 
[М] 20 MiB QEMU HARDDISK(DISK3) Idevisdci 


8. Click Create. 


In the Storage section, you can see the new RAID in the RAID devices box and format it. 


RAID Devices 


myraid5 
60 GiB 


Now you have the following options how to format and mount the new RAID in the web console: 
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e Formatting RAID 


€ Creating partitions on partition table 
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e Creating a volume group on top of RAID 


17.2. FORMATTING RAID IN THE WEB CONSOLE 


Format the new software RAID device created in the RHEL 8 web interface. 


Prerequisites 


€ Physical disks are connected and visible by RHEL 8. 
€ RAID is created. 
€ Consider the file system which will be used for the RAID. 


e Consider creating of a partitioning table. 


Procedure 


1. Open the RHEL 8 web console. 

2. Click Storage. 

3. In the RAID devices box, choose the RAID you want to format by clicking on it. 
4. In the RAID details screen, scroll down to the Content part. 


5. Click to the newly created RAID. 


Content Create partition table 


v 120 GiB Unrecognized Data /dev/md/myraid5 


Unrecognized Data 


Format 


6. Click the Format button. 


7. In the Erase drop-down list, select: 


e Don’t overwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole disk with 
zeros. This option is slower because the program has to go through the whole disk. Use this 


option if the RAID includes any data and you need to rewrite it. 


8. In the Type drop-down list, select a XFS file system, if you do not have another strong 
preference. 


9. Enter a name of the file system. 


10. In the Mounting drop down list, select Custom. 
The Default option does not ensure that the file system will be mounted on the next boot. 
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11. In the Mount Point field, add the mount path. 


12. Select Mount at boot. 


Format /dev/md/myraid5 


Erase | Don't overwrite existing data м 
Type | XFS - Red Hat Enterprise Linux 7 default Y 
Name | myraidfs 
Mounting | Custom x 
Mount options [f Mount at boot 


[_) Mount read only 


[_) Custom mount options 


Formatting a storage device will erase all data on it. 


13. Click the Format button. 
Formatting can take several minutes depending on the used formatting options and size of 
RAID. 


After successful finish, you can see the details of the formatted RAID on the Filesystem tab. 


Content Create partition table 
v 59 GIB xfs File System /dev/md/myraid5 
Filesystem 
Format 
Name myraidfs 
Mount Point /media Mount 
Mount Options defaults 


Jsed - 


14. To use the RAID, click Mount. 


At this point, the system uses mounted and formatted RAID. 


17.3. USING THE WEB CONSOLE FOR CREATING A PARTITION TABLE 
ON RAID 
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Format RAID with the partition table on the new software RAID device created in the RHEL 8 web 
interface. 


RAID requires formatting as any other storage device. You have two options: 
e Format the RAID device without partitions 


€ Create a partition table with partitions 


Prerequisites 


€ Physical disks are connected and visible by RHEL 8. 
€ RAID is created. 
e Consider the file system used for the RAID. 


€ Consider creating a partitioning table. 


Procedure 


1. Open the RHEL 8 web console. 

2. Click Storage. 

3. In the RAID devices box, select the RAID you want to edit. 
4. In the RAID details screen, scroll down to the Content part. 


5. Click to the newly created RAID. 


Content Create partition table 


v 120 GiB Unrecognized Data /dev/md/myraid5 


Unrecognized Data 


Format 


6. Click the Create partition table button. 


7. Inthe Erase drop-down list, select: 


e Don’t overwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole RAID with 
zeros. This option is slower because the program has to go through the whole RAID. Use this 
option if RAID includes any data and you need to rewrite it. 


8. In the Partitioning drop-down list, select: 


e Compatible with modern system and hard disks > 2TB (GPT) — GUID Partition Table is a 
modern recommended partitioning system for large RAIDs with more than four partitions. 
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e Compatible with all systems and devices (MBR) — Master Boot Record works with disks up 
to2 TB in size. MBR also support four primary partitions max. 


Format Disk /dev/md/myraid5 


Erase | Don't overwrite existing data x 


Partitioning | Compatible with modern system and hard disks » 2TB (GPT) v 


Formatting a disk will erase all data on it. 


Cancel Format 


9. Click Format. 


At this point, the partitioning table has been created and you can create partitions. 


For creating partitions, see Using the web console for creating partitions on RAID . 


17.4. USING THE WEB CONSOLE FOR CREATING PARTITIONS ON RAID 


Create a partition in the existing partition table. 


Prerequisites 


Partition table is created. 
For details, see Section 17.3, "Using the web console for creating a partition table on RAID" 


Procedure 


1. 


2. 


Э. 
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Open the RHEL 8 web console. 
Click Storage. 


In the RAID devices box, click to the RAID you want to edit. 


. In the RAID details screen, scroll down to the Content part. 

. Click to the newly created RAID. 

. Click Create Partition 

. In the Create partition dialog box, set up the size of the first partition. 


. In the Erase drop-down list, select: 


e Don't overwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole RAID with 
zeros. This option is slower because the program have to go through the whole RAID. Use 
this option if RAID includes any data and you need to rewrite it. 
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9. Inthe Type drop-down list, select a XFS file system, if you do not have another strong 
preference. 


10. Enter any name for the file system. Do not use spaces in the name. 


Tl. In the Mounting drop down list, select Custom. 
The Default option does not ensure that the file system will be mounted on the next boot. 


12. In the Mount Point field, add the mount path. 
13. Select Mount at boot. 
14. Click Create partition. 


Create partition on /dev/md/myraid5 


0.509 | GiB 
Don't overwrite existing data 
XFS - Red Hat Enterprise Linux 7 default 
Name | part1xfs 


Mounting | Custom 


Mount options [4 Mount at boot 


( ] Mount read only 


[_) Custom mount options 


Cancel Create partition 


Formatting can take several minutes depending on used formatting options and size of RAID. 
After successful finish, you can continue with creating other partitions. 


At this point, the system uses mounted and formatted RAID. 


17.5. USING THE WEB CONSOLE FOR CREATING A VOLUME GROUP 
ON TOP OF RAID 


Build a volume group from software RAID. 


Prerequisites 


e RAID device, which is not formatted and mounted. 


Procedure 


1. Open the RHEL 8 web console. 
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2. Click Storage. 

3. Click the * icon in the Volume Groups box. 

4. In the Create Volume Group dialog box, enter a name for the new volume group. 
5. In the Disks list, select a RAID device. 


If you do not see the RAID in the list, unmount the RAID from the system. The RAID device must 
not be used by the RHEL 8 system. 


Create Volume Group 


Name | myvolumegroup 


Disks | (M 1.90 GIB RAID Device myraid /dev/md/myraid 


6. Click Create. 


The new volume group has been created and you can continue with creating a logical volume. 


Volume Groups 


myvolumegroup 


1.90 GIB 


rhel 
19.0 GiB 


Additional resources 


€ Tolearn more about soft corruption and how you can protect your data when configuring a RAID 
LV, see Using DM integrity with RAID LV. 
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CHAPTER 18. USING THE WEB CONSOLE FOR CONFIGURING 
LVM LOGICAL VOLUMES 


Red Hat Enterprise Linux 8 supports the L VM logical volume manager. When you install a Red Hat 
Enterprise Linux 8, it will be installed on LVM automatically created during the installation. 


Storage » rhel 


Volume Group rhel Rename 


D m190Y9-aL1C-LkSS-3uez-n8S9-DdO1-MZt96A 


Capacity 9.00 GiB, 9.66 GB, 9659482112 bytes 


Physical Volumes 


Partition of QEMU HARDDISK (QM00001) 
9.00 СІВ, 0 free 


Logical Volumes 


> 8.00 СІВ xfs File System /dev/rhel/root 


1 СІВ Swap Space /dev/rhel/swap 


The screenshot shows you a clean installation of the RHEL 8 system with two logical volumes in the 
RHEL 8 web console automatically created during the installation. 


To find out more about logical volumes, follow the sections describing: 
e What is logical volume manager and when to use it. 
e Whatare volume groups and how to create them. 
e Whatare logical volumes and how to create them. 
e How to format logical volumes. 


e How to resize logical volumes. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


€ Physical drives, RAID devices, or any other type of block device from which you can create the 
logical volume. 


18.1. LOGICAL VOLUME MANAGER IN THE WEB CONSOLE 
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The RHEL 8 web console provides a graphical interface to create L VM volume groups and logical 
volumes. 


Volume groups create a layer between physical and logical volumes. It makes you possible to add or 
remove physical volumes without influencing logical volume itself. Volume groups appear as one drive 
with capacity consisting of capacities of all physical drives included in the group. 
You can join physical drives into volume groups in the web console. 
Logical volumes act as a single physical drive and it is built on top of a volume group in your system. 
Main advantages of logical volumes are: 

€ Better flexibility than the partitioning system used on your physical drive. 


e Ability to connect more physical drives into one volume. 


€ Possibility of expanding (growing) or reducing (shrinking) capacity of the volume on-line, 
without restart. 


e Ability to create snapshots. 


Additional resources 


€ For details, see Configuring and managing logical volumes. 


18.2. CREATING VOLUME GROUPS IN THE WEB CONSOLE 
Create volume groups from one or more physical drives or other storage devices. 


Logical volumes are created from volume groups. Each volume group can include multiple logical 
volumes. 


For details, see Volume groups. 


Prerequisites 

€ Physical drives or other types of storage devices from which you want to create volume groups. 
Procedure 

1. Log in to the RHEL 8 web console. 

2. Click Storage. 


3. Click the * icon in the Volume Groups box. 


Volume Groups 


No volume groups created 


4. |n the Name field, enter a name of a group without spaces. 
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5. Select the drives you want to combine to create the volume group. 


Create Volume Group 


Name | myvolumegroup 
7/555 | (M 10.0 GiB Partition of QEMU QEMU HARDDISK (DISK1) /dev/sda1 


(М 20.0 GiB RAID Device 127 /dev/md/127 


It might happen that you cannot see devices as you expected. The RHEL web console displays 
only unused block devices. Used devices means, for example: 


e Devices formatted with a file system 
€ Physical volumes in another volume group 


e Physical volumes being a member of another software RAID device 
If you do not see the device, format it to be empty and unused. 


6. Click Create. 


The web console adds the volume group in the Volume Groups section. After clicking the group, you 
can create logical volumes that are allocated from that volume group. 


Volume Groups 


myvolumegroup 
30.0 GIB 


18.3. CREATING LOGICAL VOLUMES IN THE WEB CONSOLE 


Create LVM logical volumes. 


Prerequisites 
e The cockpit-storaged package is installed on your system. 


e Volume group created. For details, see Creating volume groups іп the web console. 


Procedure 


1. Log in to the RHEL 8 web console. 
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2. Click Storage. 

3. Click the volume group in which you want to create logical volumes. 

4. Click Create new Logical Volume 

5. In the Name field, enter a name for the new logical volume without spaces. 


6. In the Purpose drop down menu, select Block device for filesystems. 
This configuration enables you to create a logical volume with the maximum volume size which is 
equal to the sum of the capacities of all drives included in the volume group. 


Create Logical Volume 


Name | mylogicalvolume 


Purpose | Block device for filesystems `2 


Size | Block device for filesystems 


Pool for thinly provisioned volumes 


7. Define the size of the logical volume. Consider: 


e How much space the system using this logical volume will need. 
e How many logical volumes you want to create. 


You do not have to use the whole space. If necessary, you can grow the logical volume later. 
Create Logical Volume 


Name | mylogicalvolume 


Purpose | Block device for filesystems 


оге oD 


8. Click Create. 


To verify the settings, click your logical volume and check the details. 
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Logical Volumes (9 Create new Logical Volume 
м 30.0 СІВ Unrecognized Data /dev/myvolumegroup/mylogicalvolume 
Volume Unrecognized Data Deactivate || Delete 
Format 
Jsage - 
Type - 


At this stage, the logical volume has been created and you need to create and mount a file system with 
the formatting process. 


18.4. FORMATTING LOGICAL VOLUMES IN THE WEB CONSOLE 


Logical volumes act as physical drives. To use them, you need to format them with a file system. 


| WARNING 
/N Formatting logical volumes will erase all data on the volume. 


The file system you select determines the configuration parameters you can use for logical volumes. For 
example, some the XFS file system does not support shrinking volumes. For details, see Resizing logical 
volumes in the web console. 


The following steps describe the procedure to format logical volumes. 


Prerequisites 
e The cockpit-storaged package is installed on your system. 


e Logical volume created. For details, see Creating volume groups in the web console . 


Procedure 


1. Log in to the RHEL web console. 
2. Click Storage. 


3. Click the volume group in which the logical volume is placed. 


A 


. Click the logical volume. 


5. Click on the Unrecognized Data tab. 


97 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


Logical Volumes (9 Create new Log 
v 30.0 GIB Unrecognized Data /dev/myvolumegroup/mylogicalvolume 
Volume Unrecognized Data Deactivate || Delete 
Format 
Usage - 
Type - 


6. Click Format. 


7. In the Erase drop down menu, select: 


e Don'toverwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole disk with 
zeros. This option is slower because the program have to go through the whole disk. Use this 
option if the disk includes any data and you need to overwrite it. 

8. Inthe Type drop down menu, select a file system: 
e XFS file system supports large logical volumes, switching physical drives online without 


outage, and growing an existing file system. Leave this file system selected if you do not 
have a different strong preference. 


XFS does not support reducing the size of a volume formatted with an XFS file system 
€ ext4 file system supports: 


o Logical volumes 

© Switching physical drives online without outage 
o Growing a file system 

o Shrinking a file system 


You can also select a version with the LUKS (Linux Unified Key Setup) encryption, which allows 
you to encrypt the volume with a passphrase. 


9. In the Name field, enter the logical volume name. 


10. In the Mounting drop down menu, select Custom. 
The Default option does not ensure that the file system will be mounted on the next boot. 


Tl. In the Mount Point field, add the mount path. 


12. Select Mount at boot. 
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Format /dev/volumegroup1/thinvolume1 


Erase | Don't overwrite existing data = 


уре | XFS - Red Hat Enterprise Linux 7 default Y 


Name | myfilesystem 


Mounting | Custom i 
Mount options (м Mount at boot 


[_) Mount read only 


[_) Custom mount options 


Formatting a storage device will erase all data on it. 


13. Click Format. 


Formatting can take several minutes depending on the volume size and which formatting 
options are selected. 


After the formatting has completed successfully, you can see the details of the formatted 
logical volume on the Filesystem tab. 


м 20 СІВ xfs File System /dev/myvolumegroup/mylogicalvolume 
Volume Filesystem Deactivate | Delete 


Format 
Name myfilesystem 


Mount Point (default) Mount 


14. To use the logical volume, click Mount. 


At this point, the system can use mounted and formatted logical volume. 


18.5. RESIZING LOGICAL VOLUMES IN THE WEB CONSOLE 


Learn how to extend or reduce logical volumes in the RHEL 8 web console. 


Whether you can resize a logical volume depends on which file system you are using. Most file systems 
enable you to extend (grow) the volume online (without outage). 


You can also reduce (shrink) the size of logical volumes, if the logical volume contains a file system 
which supports shrinking. It should be available, for example, in the ext3/ext4 file systems. 


99 


Red Hat Enterprise Linux 8 Managing systems using the RHEL 8 web console 


| WARNING 
AN You cannot reduce volumes that contains GFS2 or XFS filesystem. 


Prerequisites 


e Existing logical volume containing a file system which supports resizing logical volumes. 


Procedure 


The following steps provide the procedure for growing a logical volume without taking the volume 
offline: 


1. Log in to the RHEL web console. 

2. Click Storage. 

3. Click the volume group in which the logical volume is placed. 
4. Click the logical volume. 

5. On the Volume tab, click Grow. 

6. In the Grow Logical Volume dialog box, adjust volume space. 


Grow Logical Volume 


Size —9 ЩІ] GiB ~ 


7. Click Grow. 


LVM grows the logical volume without system outage. 


18.6. ADDITIONAL RESOURCES 


e For more details on creating logical volumes, see Configuring and managing logical volumes. 
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CHAPTER 19. USING THE WEB CONSOLE FOR CONFIGURING 
THIN LOGICAL VOLUMES 


Thinly-provisioned logical volumes enable you to allocate more space for designated applications or 
servers than how much space logical volumes actually contain. 


For details, see Thinly-provisioned logical volumes (thin volumes). 
The following sections describe: 
€ Creating pools for the thinly provisioned logical volumes. 
€ Creating thin logical volumes. 


e Formatting thin logical volumes. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


€ Physical drives or other types of storage devices from which you want to create volume groups. 


19.1. CREATING POOLS FOR THIN LOGICAL VOLUMES IN THE WEB 
CONSOLE 


Create a pool for thinly provisioned volumes. 


Prerequisites 


e Volume group created. 


Procedure 


1. Log in to the RHEL 8 web console. 
2. Click Storage. 
3. Click the volume group in which you want to create thin volumes. 
4. Click Create new Logical Volume 
5. In the Name field, enter a name for the new pool of thin volumes without spaces. 


6. In the Purpose drop down menu, select Pool for thinly provisioned volumes This 
configuration enables you to create the thin volume. 
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Create Logical Volume 


Name | mypoolforthinvolumes 


Purpose | Pool for thinly provisioned volumes v | 


Pool for thinly provisioned volumes 


7. Define the size of the pool of thin volumes. Consider: 


e How many thin volumes you will need in this pool? 
e What is the expected size of each thin volume? 


You do not have to use the whole space. If necessary, you can grow the pool later. 


Create Logical Volume 


Name | mypoolforthinvolumes 


Purpose | Pool for thinly provisioned volumes M 


Size —— ә GiB v 


8. Click Create. 


The pool for thin volumes has been created and you can add thin volumes. 


19.2. CREATING THIN LOGICAL VOLUMES IN THE WEB CONSOLE 


Create a thin logical volume in the pool. The pool can include multiple thin volumes and each thin volume 
can be as large as the pool for thin volumes itself. 


IMPORTANT 


Using thin volumes requires regular checkup of actual free physical space of the logical 
volume. 


Prerequisites 
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e Pool for thin volumes created. 


For details, see Section 19.1, "Creating pools for thin logical volumes in the web console" . 
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Procedure 


1. Log in to the RHEL 8 web console. 
2. Click Storage. 
3. Click the volume group in which you want to create thin volumes. 
4. Click the desired pool. 
5. Click Create Thin Volume. 


Logical Volumes © Create new Logical Volume 


60 GiB Pool for Thin Volumes thinlogicalvolume Create Thin Volume 


Deactivate Delete 


e thinlogicalvolume 
size. 60 GiB Grow 


sed 0% 


6. In the Create Thin Volume dialog box, enter a name for the thin volume without spaces. 


7. Define the size of the thin volume. 


Create Thin Volume 


Name | thinvolume1 


Size ——————————9 GiB ~ 


8. Click Create. 


At this stage, the thin logical volume has been created and you need to format it. 


19.3. FORMATTING LOGICAL VOLUMES IN THE WEB CONSOLE 


Logical volumes act as physical drives. To use them, you need to format them with a file system. 


| WARNING 
/N Formatting logical volumes will erase all data on the volume. 
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The file system you select determines the configuration parameters you can use for logical volumes. For 
example, some the XFS file system does not support shrinking volumes. For details, see Resizing logical 
volumes in the web console. 


The following steps describe the procedure to format logical volumes. 


Prerequisites 


e The cockpit-storaged package is installed on your system. 


e Logical volume created. For details, see Creating volume groups in the web console . 


Procedure 


1. Log in to the RHEL web console. 

2. Click Storage. 

3. Click the volume group in which the logical volume is placed. 
4. Click the logical volume. 


5. Click on the Unrecognized Data tab. 


Logical Volumes (9 Create new Logical Volume 
м 30.0 GIB Unrecognized Data /dev/myvolumegroup/mylogicalvolume 
Volume Unrecognized Data Deactivate || Delete 
Format 
Usage - 
Type - 


6. Click Format. 


7. In the Erase drop down menu, select: 


e Don’t overwrite existing data— the RHEL web console rewrites only the disk header. 
Advantage of this option is speed of formatting. 


e Overwrite existing data with zeros— the RHEL web console rewrites the whole disk with 
zeros. This option is slower because the program have to go through the whole disk. Use this 
option if the disk includes any data and you need to overwrite it. 


8. In the Type drop down menu, select a file system: 


e XFS file system supports large logical volumes, switching physical drives online without 
outage, and growing an existing file system. Leave this file system selected if you do not 
have a different strong preference. 

XFS does not support reducing the size of a volume formatted with an XFS file system 


€ ext4 file system supports: 
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o Logical volumes 

o Switching physical drives online without outage 
o Growing a file system 

o Shrinking a file system 


You can also select a version with the LUKS (Linux Unified Key Setup) encryption, which allows 
you to encrypt the volume with a passphrase. 


9. Inthe Name field, enter the logical volume name. 


10. In the Mounting drop down menu, select Custom. 
The Default option does not ensure that the file system will be mounted on the next boot. 


11. In the Mount Point field, add the mount path. 


12. Select Mount at boot. 


Format /dev/volumegroup1/thinvolume1 


Erase | Don't overwrite existing data v 
Type | XFS - Red Hat Enterprise Linux 7 default v 
Name | myfilesystem 
Mounting | Custom v 
Mount options (м Mount at boot 
[_) Mount read only 


(_} Custom mount options 


Formatting a storage device will erase all data on it. 


13. Click Format. 


Formatting can take several minutes depending on the volume size and which formatting 
options are selected. 


After the formatting has completed successfully, you can see the details of the formatted 
logical volume on the Filesystem tab. 


м 20 СІВ xfs File System /dev/myvolumegroup/mylogicalvolume 


Volume Filesystem Deactivate | Delete 


Format 
Name myfilesystem 


Mount Point (default) Mount 


Used - 
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14. To use the logical volume, click Mount. 


At this point, the system can use mounted and formatted logical volume. 
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CHAPTER 20. USING THE WEB CONSOLE FOR CHANGING 
PHYSICAL DRIVES IN VOLUME GROUPS 


Change the drive in a volume group using the RHEL 8 web console. 
The change of physical drives consists of the following procedures: 
e Adding physical drives from logical volumes. 


e Removing physical drives from logical volumes. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 
€ Anew physical drive for replacing the old or broken one. 


e The configuration expects that physical drives are organized in a volume group. 


20.1. ADDING PHYSICAL DRIVES TO VOLUME GROUPS IN THE WEB 
CONSOLE 


The RHEL 8 web console enables you to add a new physical drive or other type of volume to the existing 
logical volume. 


Prerequisites 


€ A volume group must be created. 


€ Anew drive connected to the machine. 


Procedure 


1. Log in to the RHEL 8 web console. 
2. Click Storage. 
3. In the Volume Groups box, click the volume group in which you want to add a physical volume. 


4. In the Physical Volumes box, click the + icon. 


Physical Volumes ( + ) 


QEMU HARDDISK(DISK1) = 
20 СІВ, 0 free 


QEMU HARDDISK(DISK2) = 


20 СІВ, 20 СІВ free 


5. In the Add Disks dialog box, select the preferred drive and click Add. 
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Add Disks 


Disks 


м 20 СІВ QEMU HARDDISK(DISK3) /dev/sdb1 


Cancel 


As aresult, the RHEL 8 web console adds the physical volume. You can see it in the Physical Volumes 
section, and the logical volume can immediately start to write on the drive. 


20.2. REMOVING PHYSICAL DRIVES FROM VOLUME GROUPS IN THE 
WEB CONSOLE 


If a logical volume includes multiple physical drives, you can remove one of the physical drives online. 


The system moves automatically all data from the drive to be removed to other drives during the 
removal process. Notice that it can take some time. 


The web console also verifies, if there is enough space for removing the physical drive. 


Prerequisites 
€ Avolume group with more than one physical drive connected. 


Procedure 


The following steps describe how to remove a drive from the volume group without causing outage in 
the RHEL web console. 


1. Log in to the RHEL 8 web console. 

2. Click Storage. 

3. Click the volume group in which you have the logical volume. 
4. |n the Physical Volumes section, locate the preferred volume. 


5. Click the - icon. 
The RHEL 8 web console verifies, if the logical volume has enough free space for removing the 
disk. If not, you cannot remove the disk and it is necessary to add another disk first. For details, 
see Adding physical drives to logical volumes in the web console . 


Physical Volumes + 


QEMU HARDDISK(DISK1) — 
20 GiB, 0 free 


QEMU HARDDISK(DISK2) - 
20 GiB, 20 GiB free 


QEMU HARDDISK(DISK3) - 
20 GiB, 20 GiB free 
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As results, the RHEL 8 web console removes the physical volume from the created logical volume 
without causing an outage. 
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CHAPTER 21. USING THE WEB CONSOLE FOR MANAGING 
VIRTUAL DATA OPTIMIZER VOLUMES 


Configure the Virtual Data Optimizer (VDO) using the RHEL 8 web console. 
You will learn how to: 

€ Create VDO volumes 

e Format VDO volumes 


e Extend VDO volumes 


Prerequisites 


e The RHEL 8 web console is installed and accessible. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


21.1. VDO VOLUMES IN THE WEB CONSOLE 
Red Hat Enterprise Linux 8 supports Virtual Data Optimizer (VDO). 
VDO is a block virtualization technology that combines: 


Compression 

For details, see Enabling or disabling compression in VDO. 
Deduplication 

For details, see Enabling or disabling deduplication in VDO. 
Thin provisioning 


For details, see Thinly-provisioned logical volumes (thin volumes). 
Using these technologies, VDO: 
€ Saves storage space inline 
ө Compresses files 
e Eliminates duplications 


e Enables you to allocate more virtual space than how much the physical or logical storage 
provides 


e Enables you to extend the virtual storage by growing 


VDO can be created on top of many types of storage. In the RHEL 8 web console, you can configure 
VDO on top of: 


e | VM 
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SX 7 NOTE 


It is not possible to configure VDO on top of thinly-provisioned volumes. 


e Physical volume 


e Software RAID 


For details about placement of VDO in the Storage Stack, see System Requirements. 


Additional resources 


For details about VDO, see Deduplicating and compressing storage. 


21.2. CREATING VDO VOLUMES IN THE WEB CONSOLE 


Create a VDO volume in the RHEL web console. 


Prerequisites 


Physical drives, LVMs, or RAID from which you want to create VDO. 


Procedure 


1. 


Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


. Click Storage. 


. Click the * icon in the VDO Devices box. 


VDO Devices 


No storage set up as VDO 


. In the Name field, enter a name of a VDO volume without spaces. 
. Select the drive that you want to use. 


. In the Logical Size bar, set up the size of the VDO volume. You can extend it more than ten 


times, but consider for what purpose you are creating the VDO volume: 


€ Foractive VMs or container storage, use logical size that is ten times the physical size of the 
volume. 


e For object storage, use logical size that is three times the physical size of the volume. 


For details, see Deploying VDO. 


. In the Index Memory bar, allocate memory for the VDO volume. 


For details about VDO system requirements, see System Requirements. 


. Select the Compression option. This option can efficiently reduce various file formats. 
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For details, see Enabling or disabling compression in VDO. 


9. Select the Deduplication option. 
This option reduces the consumption of storage resources by eliminating multiple copies of 
duplicate blocks. For details, see Enabling or disabling deduplication in VDO. 


10. [Optional] If you want to use the VDO volume with applications that need a 512 bytes block size, 
select Use 512 Byte emulation This reduces the performance of the VDO volume, but should 


be very rarely needed. If in doubt, leave it off. 


11. Click Create. 


Create VDO Device 


Name | myvirtualdataoptimizer 


Disk (€) 5.72 СІВ RAID Device 127 /dev/md/127 


Logical Size LL 1]L11 Ф 5.76 | GIB v 
ndex Memory — 256 | MiB v 


Options (V Compression 
(М Deduplication 


J Use 512 Byte emulation 


If the process of creating the VDO volume succeeds, you can see the new VDO volume in the Storage 
section and format it with a file system. 


VDO Devices 


myvirtualdataoptimizer 
5.76 GIB 


21.3. FORMATTING VDO VOLUMES IN THE WEB CONSOLE 


VDO volumes act as physical drives. To use them, you need to format them with a file system. 
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| WARNING 
A Formatting VDO will erase all data on the volume. 


The following steps describe the procedure to format VDO volumes. 


Prerequisites 


e AVDO volume is created. For details, see Section 21.2, "Creating VDO volumes in the web 
console". 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Storage. 

3. Click the VDO volume. 

4. Click on the Unrecognized Data tab. 
5. Click Format. 


v 14.2 GIB Unrecognized Data /dev/mapper/myvirtualdeviceoptimizer 


Unrecognized Data 


6. In the Erase drop down menu, select: 


Don't overwrite existing data 


The RHEL web console rewrites only the disk header. The advantage of this option is the 
speed of formatting. 


Overwrite existing data with zeros 


The RHEL web console rewrites the whole disk with zeros. This option is slower because the 
program has to go through the whole disk. Use this option if the disk includes any data and 
you need to rewrite them. 


7. In the Type drop down menu, select a filesystem: 


e The XFS file system supports large logical volumes, switching physical drives online without 
outage, and growing. Leave this file system selected if you do not have a different strong 
preference. 

XFS does not support shrinking volumes. Therefore, you will not be able to reduce volume 
formatted with XFS. 
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10. 


11. 


12. 


e The ext4 file system supports logical volumes, switching physical drives online without 
outage, growing, and shrinking. 


You can also select a version with the LUKS (Linux Unified Key Setup) encryption, which allows 
you to encrypt the volume with a passphrase. 


. In the Name field, enter the logical volume name. 


. In the Mounting drop down menu, select Custom. 


The Default option does not ensure that the file system will be mounted on the next boot. 
In the Mount Point field, add the mount path. 


Select Mount at boot. 


Format /dev/volumegroup1/thinvolume1 


Erase | Don't overwrite existing data ы 
Type | XFS - Red Hat Enterprise Linux 7 default Y 
Name | myfilesystem 


Mounting | Custom 


v 


Mount options (м Mount at boot 
[_) Mount read only 


[_) Custom mount options 


Formatting a storage device will erase all data on it. 


Click Format. 


Formatting can take several minutes depending on the used formatting options and the volume 
size. 


After a successful finish, you can see the details of the formatted VDO volume on the 
Filesystem tab. 


М 5.76 СІВ xfs File System /dev/mapper/myvirtualdataoptimizer 


Filesystem 


Format 
Name myfilesystem 


Mount Point (default) Mount 


Used - 


13. To use the VDO volume, click Mount. 
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At this point, the system uses the mounted and formatted VDO volume. 


21.4. EXTENDING VDO VOLUMES IN THE WEB CONSOLE 


Extend VDO volumes in the RHEL 8 web console. 


Prerequisites 
e The cockpit-storaged package is installed on your system. 


e The VDO volume created. 


Procedure 


1. Login to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Storage. 


3. Click your VDO volume in the VDO Devices box. 


VDO Devices 


myvirtualdataoptimizer 
5.76 GIB 


4. Inthe VDO volume details, click the Grow button. 


5. In the Grow logical size of VDO dialog box, extend the logical size of the VDO volume. 


Grow logical size of myvirtualdeviceoptimizer 


Logical Size EL M2 M M LM 2 QQIl]e||l Q V V. GiB v 


Original size of the logical volume from the screenshot was 6 GB. As you can see, the RHEL web 
console enables you to grow the volume to more than ten times the size and it works correctly 
because of the compression and deduplication. 


6. Click Grow. 


If the process of growing VDO succeeds, you can see the new size in the VDO volume details. 
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VDO Device myvirtualdataoptimizer Stop 


Device File /dev/mapper/myvirtualdataoptimizer 
Backing Device /dev/md/127 
Physical 1.11 MIB data * 3.72 GiB overhead used of 5.72 GiB (6596) 
Logical 11.7 MiB usef огво aie dos saved) | Grow 
ndex Memory 256 MIB 
Compression He 


Deduplication He 


BB 
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CHAPTER 22. LOCKING DATA WITH LUKS PASSWORD IN THE 
RHEL WEB CONSOLE 


In the web console's Storage tab, you can now create, lock, unlock, resize, and otherwise configure 
encrypted devices using the LUKS (Linux Unified Key Setup) version 2 format. 


This new version of LUKS offers: 
e More flexible unlocking policies 
e Stronger cryptography 


e Better compatibility with future changes 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


22.1. LUKS DISK ENCRYPTION 


The Linux Unified Key Setup-on-disk-format (LUKS) enables you to encrypt block devices and it 
provides a set of tools that simplifies managing the encrypted devices. LUKS allows multiple user keys 
to decrypt a master key, which is used for the bulk encryption of the partition. 


RHEL utilizes LUKS to perform block device encryption. By default, the option to encrypt the block 
device is unchecked during the installation. If you select the option to encrypt your disk, the system 
prompts you for a passphrase every time you boot the computer. This passphrase "unlocks" the bulk 
encryption key that decrypts your partition. If you choose to modify the default partition table, you can 
choose which partitions you want to encrypt. This is set in the partition table settings. 


What LUKS does 


e LUKS encrypts entire block devices and is therefore well-suited for protecting contents of 
mobile devices such as removable storage media or laptop disk drives. 


e Theunderlying contents of the encrypted block device are arbitrary, which makes it useful for 
encrypting swap devices. This can also be useful with certain databases that use specially 
formatted block devices for data storage. 

e LUKS uses the existing device mapper kernel subsystem. 


e LUKS provides passphrase strengthening, which protects against dictionary attacks. 


e LUKS devices contain multiple key slots, allowing users to add backup keys or passphrases. 


What LUKS doesnot do 


e Disk-encryption solutions like LUKS protect the data only when your system is off. Once the 
system is on and LUKS has decrypted the disk, the files on that disk are available to anyone who 
would normally have access to them. 
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e LUKS is not well-suited for scenarios that require many users to have distinct access keys to the 
same device. The LUKS1 format provides eight key slots, LUKS2 up to 32 key slots. 


e LUKS is not well-suited for applications requiring file-level encryption. 


Ciphers 


The default cipher used for LUKS is aes-xts-plain64. The default key size for LUKS is 512 bits. The 
default key size for LUKS with Anaconda (XTS mode) is 512 bits. Ciphers that are available are: 


e AES - Advanced Encryption Standard 
e Twofish (a 128-bit block cipher) 


e Serpent 


Additional resources 


e LUKS Project Home Page 
e LUKS On-Disk Format Specification 


e FIPS PUB 197 


22.2. CONFIGURING THE LUKS PASSPHRASE IN THE WEB CONSOLE 


If you want to add encryption to an existing logical volume on your system, you can only do so through 
formatting the volume. 


Prerequisites 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


€ Available existing logical volume without encryption. 


Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Storage. 
3. Select the storage device you want to format. 
4. Click the menu icon and select Format option. 


5. Select the Encrypt data box to activate encryption on your storage device. 
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iM Encrypt data 


Passphrase 


Confirm 


[.] Store passphrase 
[М Unlock at boot 
Unlock read only 


Custom encryption options 


6. Set and confirm your new passphrase. 
7. [Optional] Modify further encryption options. 
8. Finalize formatting settings. 


9. Click Format. 


22.3. CHANGING THE LUKS PASSPHRASE IN THE WEB CONSOLE 


Change a LUKS passphrase on an encrypted disk or partition in the web console. 


Prerequisites 


€ The web console must be installed and accessible. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 


Procedure 


1. Login to the web console. 
For details, see Logging in to the web console . 


2. Click Storage 

3. In the Drives table, select the disk with encrypted data. 
4. In Content, select the encrypted partition. 

5. Click Encryption. 


6. In the Keys table, click the pen icon. 
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Keys 
Passphrase Slot O — 


7. In the Change passphrase dialog window: 


a. Enter your current passphrase. 
b. Enter your new passphrase. 


c. Confirm your new passphrase. 


Change passphrase 


Old passphrase БЕСЕ 


New passphrase 660966060066 
Repeat passphrase 96062606600 
8. Click Save 
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CHAPTER 23. CONFIGURING AUTOMATED UNLOCKING 
USING A TANG KEY IN THE WEB CONSOLE 


Configure automated unlocking of a LUKS-encrypted storage device using a key provided by a Tang 
server. 


Prerequisites 


e The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


e The cockpit-storaged package is installed on your system. 
e The cockpit.socket service is running at port 9090. 
e The clevis, tang, and clevis-dracut packages are installed. 


e A Tang server is running. 


Procedure 


1. Open the RHEL web console by entering the following address in a web browser: 
| https://localhost.9090 


Replace the /oca/host part by the remote server's host name or IP address when you connect to 
a remote system. 


2. Provide your credentials and click Storage. Select an encrypted device and click Encryption in 
the Content part: 


3. Click +in the Keys section to add a Tang key: 


RED HAT ENTERPRISE LINUX & | © Ute Sap 


Capacity 14.9 GiB, 16.0 GB, 16013852672 bytes 


E localhost.localdo... 
Device File /dev/sda 
Q Search 
- Content Create Partition Table | 
Overview 
Logs | 
14.9 GiB Encrypted data /dev/sdal 


Storage 
Partition Encryption B 
Networking n. 


BECOMES Stored passphrase 


Services Options (попе) 


Applications Keys 


Diagnostic Passphrase Slot 0 = 


Reports 


Kernel Dump 


or > 14.9 GIB xfs File /dev/mapper/luks-639fb24e-76de-4f34-b752- 
System e257b9f856e4 A 
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4. Provide the address of your Tang server and a password that unlocks the LUKS-encrypted 
device. Click Add to confirm: 


Add Key 


Keysource (©) Passphrase © Tang keyserver 
Keyserver address example.com:80 
Disk passphrase e€0606060050660800 


Saving a new passphrase requires unlocking the disk. Please provide a current disk 


5. The following dialog window provides a command to verify that the key hash matches. RHEL 
8.2 introduced the tang-show-keys script, and you can obtain the key hash using the following 
command on the Tang server running on the port 7500: 


passphrase. 


# tang-show-keys 7500 
3ZWS6-cDrCG61UPJS2BMmPUA154 
On RHEL 8.1 and earlier, obtain the key hash using the following command: 
# curl -s localhost:7500/adv | jose fmt -j- -9 payload -y -o- | jose jwk use -i- -r -u verify -o- | 
jose jwk thp -i- 
3ZWS6-cDrCG61UPJS2BMmPUA154 


6. Click Trust key when the key hashes in the web console and in the output of previously listed 
commands are the same: 
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Verify key 


Make sure the key hash from the Tang server matches: 


3ZWS6 - cDrCG61UPJS2BMmPUAI54 


Manually check with SSH: ssh localhost tang-show-keys 7500 


If tang-show-keys is not available, run the following: 
ssh localhost "curl -s localhost:7500/adv | 
jose fmt -j- -g payload -y -o- | 
jose jwk use -i- -r -u verify -o- | 
jose jwk thp -i-" 


Cancel 


7. To enable the early boot system to process the disk binding, click Terminal at the bottom of 
the left navigation bar and enter the following commands: 


# yum install clevis-dracut 
# dracut -fv --regenerate-all 


Verification 


1. Check that the newly added Tang key is now listed in the Keys section with the Keyserver type: 


м 14.9 СІВ Encrypted data /dev/sdal 


Partition Encryption E 
Stored passphrase 


Options (попе) 


Passphrase Slot O [4 ][-] 
Keyserver localhost:7500 Slot] [-] 


2. Verify that the bindings are available for the early boot, for example: 


# Isinitrd | grep clevis 
clevis 

clevis-pin-sss 
clevis-pin-tang 
clevis-pin-tpm2 
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-rwxr-xr-x 1 root 
-rwxr-xr-x 1 root 


-rWwXxr-xr-X 2 root 
clevis-hook.sh 
-rwxr-xr-x 1 root 


Additional resources 
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root 
root 


root 


root 


1600 Feb 11 16:30 usr/bin/clevis 
1654 Feb 11 16:30 usr/bin/clevis-decrypt 


45 Feb 11 16:30 usr/lib/dracut/hooks/initqueue/settled/60- 


2257 Feb 11 16:30 usr/libexec/clevis-luks-askpass 


e Configuring automated unlocking of encrypted volumes using policy-based decryption 
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CHAPTER 24. MANAGING SOFTWARE UPDATES IN THE WEB 
CONSOLE 
Lear how to manage software updates in the RHEL 8 web console and ways to automate them. 
The Software Updates module in the web console is based on the yum utility. For more information 


about updating sofware with yum, see the Checking for updates and updating packages section. 


24.1. MANAGING MANUAL SOFTWARE UPDATES IN THE WEB 
CONSOLE 


This section describes how to manually update your software using the web console. 


Prerequisites 
€ The web console must be installed and accessible. 
For details, see Installing the web console. 
Procedure 


1. Log in to the RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Software Updates. 
The list of available updates refreshes automatically if the last check happened more than 24 
hours ago. To trigger a refresh, click the Check for Updates button. 


3. Apply updates. 


a. To install all available updates, click the Install all updates button. 


Install All Updates 


b. If you have security updates available, you can install them separately by clicking the Install 
Security Updates button. 


Install Security Updates 


You can watch the update log while the update is running. 


4. After the system applies updates, you get a recommendation to restart your system. 
We recommend this especially if the update included a new kernel or system services that you 
do not want to restart individually. 


5. Click Ignore to cancel the restart, or Restart Now їо proceed with restarting your system. 
After the system restart, log in to the web console and go to the Software Updates page to 
verify that the update has been successful. 


24.2. MANAGING AUTOMATIC SOFTWARE UPDATES IN THE WEB 
CONSOLE 
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In the web console, you can choose to apply all updates, or security updates and also manage periodicity 
and time of your automatic updates. 
Prerequisites 


e The web console must be installed and accessible. For details, see Installing the web console. 


Procedure 


1. Log in to RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Software Updates. 


3. If you want to automatically apply only security updates, click on the Apply all updates drop- 
down menu and select Apply security updates. 


4. To modify day of the automatic update, click on the every day drop-down menu and select a 
specific day. 


5. To modify time of the automatic update, click on the 6:00 drop-down menu and select a 
specific time. 


RED HAT ENTERPRISE LINUX 


No updates pending Last checked: a few seconds ago | Check for Updates 


E localhost.locald... 


Automatic Updates @ 


Apply all updates v Fridays v at | 12:00 ~ and restart the machine automatically. 


6. If you want to disable automatic software updates, click on switch next to Automatic Updates 
to move it to disabled position. 


RED HAT ENTERPRISE LINUX 


No updates pending 


Е localhost.locald... 


| Automatic Updates 


24.3. MANAGING ON-DEMAND RESTARTING AFTER APPLYING 
SOFTWARE UPDATES IN THE WEB CONSOLE 


The intelligent restarting feature informs the users whether it is necessary to reboot the whole system 
after you apply a software update or if it is sufficient to only restart certain services. 


Prerequisites 


e The web console must be installed and accessible. For details, see Installing the web console. 


126 


CHAPTER 24. MANAGING SOFTWARE UPDATES IN THE WEB CONSOLE 


Procedure 


1. Log in to RHEL 8 web console. 
For details, see Logging in to the web console . 


2. Click Software Updates. 
3. Apply an update of your system. 


4. After a successful update, click Reboot system..., Restart services... or Ignore 


Update was successful 


v C 2 packages need a system reboot 


systemd kernel 

› & 24 services need to be restarted 

v 8 Some software needs to be restarted manually 
cockpit-bridge dnsmasq 
cockpit-pcp (sd-pam) 
sudo cockpit-session 
bash 


Reboot system. Restart services... Ignore 


> Package information 


5. If you decide to ignore, you can return to the restart or reboot menu by clicking Restart 
services... in the Status field of the Software Updates page. 


Status Automatic updates 


e 2 services need to be restarted Automatic updates are not set up 


Update history 


v 2021-02-16 06:57 $8) 3 packages 


openssh openssh-clients 


openssh-server 


> 2021-02-16 06:55 18 10 packages 
> 2021-02-16 06:46 1g) 127 packages 


6. Reboot the system or restart suggested services. 
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CHAPTER 25. MANAGING SUBSCRIPTIONS IN THE WEB 
CONSOLE 


Manage your subscription for Red Hat Enterprise Linux 8 from the web console. 


To get a subscription for your Red Hat Enterprise Linux, you need to have an account in the Red Hat 
Customer Portal or an activation key. 


This chapter covers: 
e Subscription management in the RHEL 8 web console. 


e Registering subscriptions for your system in the web console with the Red Hat user name and 
password. 


e Registering subscriptions with the activation key. 


Prerequisites 


e Purchased subscriptions. 


e The system subjected to subscription has to be connected to the Internet because the web 
console needs to communicate with the Red Hat Customer Portal. 


25.1. SUBSCRIPTION MANAGEMENT IN THE WEB CONSOLE 


The RHEL 8 web console provides an interface for using Red Hat Subscription Manager installed on your 
local system. 


The Subscription Manager connects to the Red Hat Customer Portal and verifies all available: 
€ Active subscriptions 
€ Expired subscriptions 
e Renewed subscriptions 
If you want to renew the subscription or get a different one in Red Hat Customer Portal, you do not have 


to update the Subscription Manager data manually. The Subscription Manager synchronizes data with 
Red Hat Customer Portal automatically. 


25.2. REGISTERING SUBSCRIPTIONS WITH CREDENTIALS IN THE WEB 
CONSOLE 


Use the following steps to register a newly installed Red Hat Enterprise Linux using the RHEL 8 web 
console. 


Prerequisites 


€ Avalid user account on the Red Hat Customer Portal. 
See the Create а Red Hat Login page. 


€ Active subscription for your RHEL system. 
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Procedure 


1. Type subscription in the search field and press the Enter key. 
Activities AANO 


Q subscription| 


Red Hat Subscri 


Alternatively, you can log in to the RHEL 8 web console. For details, see Logging in to the web 
console. 


2. In the polkit authentication dialog for privileged tasks, add the password belonging to the user 
name displayed in the dialog. 
Authentication Required 


Authentication is required to perform privileged tasks 
with the Cockpit Web Console 


A Example User 


Password: v""9090909000000009€9 


Cancel Authenticate 


3. Click Authenticate. 


4. |n the Subscriptions dialog box, click Register. 
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Subscriptions 


Subscriptions 
Status: This system is currently not registered. 


System Purpose 
Status: Unknown 
Usage: Development/Test 


Role: Red Hat Enterprise Linux Workstation 


5. Enter your Customer Portal credentials. 


Register System 


URL Default v 


Proxy (|_| I would like to connect via an HTTP proxy. 


Login example.user@redhat.com 


Activation Key key one кеј 


Organization 


6. Enter the name of your organization. 
If you have more than one account on the Red Hat Customer Portal, you have to add the 
organization name or organization ID. To get the org ID, go to your Red Hat contact point. 


7. Click the Register button. 


At this point, your Red Hat Enterprise Linux 8 system has been successfully registered. 


130 


CHAPTER 25. MANAGING SUBSCRIPTIONS IN THE WEB CONSOLE 


Subscriptions 


Status: Current 


System Purpose 


Status: Unknown 
Usage: Development/Test 


Role: Red Hat Enterprise Linux Workstation 


Installed products 


v (9  RedHatEnterprise Linux for x86 64 High Touch Beta 


Product Name Red Hat Enterprise Linux for x86 64 High Touch Beta 
ProductID 230 
Version 8.0 HTB 
Arch x86 64 
Status Subscribed 
Starts 10/07/2018 
Ends 10/06/2019 


25.3. REGISTERING SUBSCRIPTIONS WITH ACTIVATION KEYS IN THE 
WEB CONSOLE 


To register a subscription for Red Hat Enterprise Linux, 


Prerequisites 


€ |fyou do not have a user account in the portal, your vendor provides you with the activation key. 


Procedure 


1. Type subscription in the search field and press the Enter key. 
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Activities Sun 14:49 a”) Ov 


О, subscription] 


Red Hat Subscri... 


Alternatively, you can log in to the RHEL 8 web console. For details, see 


2. In the authentication dialog, add the system username and password you created during the 
system installation. 


Authentication Required 


Authentication is required to perform privileged tasks 
with the Cockpit Web Console 


A Example User 


Password: v""9090909000000009€9 


Cancel Authenticate 


3. Click Authenticate. 


4. In the Subscriptions dialog box, click Register. 


Subscriptions 


Subscriptions 


Status: This system is currently not registered. 


System Purpose 


Status: Unknown 


Usage: Development/Test 


Role: Red Hat Enterprise Linux Workstation 


5. Enter the activation key in the registration form. 
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6. Enter the name of your organization. 
You need to add the organization name or organization ID, if you have more than one account in 


the Red Hat Customer Portal. 


To get the org ID, go to your Red Hat contact point. 


Register System 


URL Default v 
Proxy |_| | would like to connect via ап HTTP proxy. 
Login 

Password 


Activation Key 3b19c539-f8d4-0123-9d91-g1a12345d9cf0 


Organization | 98765432 


7. Click the Register button. 


At this point, your RHEL 8 system has been successfully registered. 
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Subscriptions 


Status: Current 


System Purpose 


Status: Unknown 
Usage: Development/Test 


Role: Red Hat Enterprise Linux Workstation 


Installed products 


v ©  RedHatEnterprise Linux for x86 64 High Touch Beta 


Product Name Red Hat Enterprise Linux for x86 64 High Touch Beta 
ProductID 230 
Version 8.0 HTB 
Arch х86 64 
Status Subscribed 
Starts 10/07/2018 
Ends 10/06/2019 
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CHAPTER 26. CONFIGURING KDUMP IN THE WEB CONSOLE 


Setup and test the kdump configuration in the RHEL 8 web console. 
The web console is part of a default installation of Red Hat Enterprise Linux 8 and enables or disables 
the kdump service at boot time. Further, the web console conveniently enables you to configure the 


reserved memory for kdump; or to select the vmcore saving location in an uncompressed or 
compressed format. 


26.1. ADDITIONAL RESOURCES 


€ Getting started using the RHEL web console 


26.2. CONFIGURING KDUMP MEMORY USAGE AND TARGET 
LOCATION IN WEB CONSOLE 


The procedure below shows you how to use the Kernel Dump tab in the Red Hat Enterprise Linux web 
console interface to configure the amount of memory that is reserved for the kdump kernel. The 
procedure also describes how to specify the target location of the vmcore dump file and how to test 
your configuration. 


Procedure 
1. Open the Kernel Dump tab and start the kdump service. 
2. Configure the kdump memory usage using the command line. 


3. Click the link next to the Crash dump location option. 


RED HAT ENTERPRISE LINUX 


kdump status Service is running 


Diagnostic Reports - : 
: eserved memory 128 MiB 


Kernel Dump Crash dump location locally in /var/crash/ 


Test Configuration | @ 


4. Select the Local Filesystem option from the drop-down and specify the directory you want to 
save the dump in. 
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Crash dump location 


Location | Local Filesystem 


Directory | /var/crash/ 


Compression [4 Compress crash dumps to save space 


Cancel Apply 


e Alternatively, select the Remote over SSH option from the drop-down to send the vmcore 
to a remote machine using the SSH protocol. 
Fill the Server, ssh key, and Directory fields with the remote machine address, ssh key 
location, and a target directory. 


€ Another choice is to select the Remote over NFS option from the drop-down апа fill the 
Mount field to send the vmcore to a remote machine using the NFS protocol. 


NOTE 


Tick the Compression check box to reduce the size of the vmcore file. 


5. Test your configuration by crashing the kernel. 


kdump status | Service is running 
Reserved memory 128 MIB 
Crash dump location locally in /var/crash/ 


Test Configuration | & 


| WARNING 
/N This step disrupts execution of the kernel and results in a system crash and 


loss of data. 
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Additional resources 


e Supported kdump targets 


€ Using secure communications between two systems with OpenSSH 
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CHAPTER 27. MANAGING VIRTUAL MACHINES IN THE WEB 
CONSOLE 


Manage your virtual machines in a RHEL 8 web console and learn about the virtualization management 
capabilities. 


To manage virtual machines in a graphical interface on a RHEL 8 host, you can use the Virtual Machines 
pane in the RHEL 8 web console. 


root@ 


Hel а 
kvm-01-guestO1.lab.e... ы © Єр x 
Ep 1 Storage Pool @1 Qo fa 1 Network @1 Qo 
System 
Overview EAM 
Virtual Machines Create VM. | | Import VM | 


Logs 
Name Connection State 


Networking 


Oasis vl System running | Shut Down | H 


Virtual Machines Overview Usage Disks Network Interfaces Consoles 


Accounts General Hypervisor Details 

Memory 1GiB Emulated Machine — pc-i440fx-rhel76.0 
Services vCPUs 2 Firmware BIOS 

CPUType custom (qemu64) 

Boot Order disk 


Tools = 
Autostart C Run when host boots 


Applications 


Diagnostic Reports 


Kernel Dump 


27.1. OVERVIEW OF VIRTUAL MACHINE MANAGEMENT USING THE 
WEB CONSOLE 


The RHEL 8 web console is a web-based interface for system administration. As one of its features, the 
web console provides a graphical view of virtual machines (VMs) on the host system, and makes it 
possible to create, access, and configure these VMs. 


Note that to use the web console to manage your VMs on RHEL 8, you must first install a web console 
plug-in for virtualization. 


Next steps 


e For instructions on enabling VMs management in your web console, see Section 27.2, "Setting 
up the web console to manage virtual machines". 


e Foracomprehensive list of VM management actions that the web console provides, see 
Section 27.3, “Virtual machine management features available in the web console" . 


e Foralist of features that are currently not available in the web console but can be used in the 


virt-manager application, see Section 27.4, "Differences between virtualization features in 
Virtual Machine Manager and the web console". 


27.2. SETTING UP THE WEB CONSOLE TO MANAGE VIRTUAL 
MACHINES 


Before using the RHEL 8 web console to manage virtual machines (VMs), you must install the web 
console virtual machine plug-in on the host. 
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Prerequisites 


€ Ensure that the web console is installed and enabled on your machine. 


# systemctl status cockpit.socket 
cockpit.socket - Cockpit Web Service Socket 
Loaded: loaded (/usr/lib/systemd/system/cockpit.socket 


[..] 


If this command returns Unit cockpit.socket could not be found, follow the Installing the web 
console document to enable the web console. 


Procedure 


e Install the cockpit-machines plug-in. 


| # yum install cockpit-machines 


Verification 


e |{ the installation is successful, Virtual Machines appears in the web console side menu. 


root@ 
Я e @- 
kvm-01-guestO1.lab.e... ©; Бар 
О, Search 
E 1 Storage Pool 61 Qo 5 1 Network 61 Qo 

System 
Overview 

Virtual Machines Import VM 
Logs 

Name Connection State 

Nebworting > | Oasis м System running | ShutDown | 1 


Virtual Machines 


Accounts 


Services 


Tools 


Applications 


Diagnostic Reports 


Kernel Dump 


Additional resources 


€ For instructions on connecting to the web console, as well as other information on using the web 
console, see the Managing systems using the RHEL 8 web console document. 


27.3. VIRTUAL MACHINE MANAGEMENT FEATURES AVAILABLE IN 
THE WEB CONSOLE 


Using the RHEL 8 web console, you can perform the following actions to manage the virtual machines 
(VMs) on your system. 


Table 27.1. VM tasks that can be performed in the RHEL 8 web console 
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Task For details, see: 


Create a VM and install it with a guest operating 
system 


Delete a VM. 


Start, shut down, and restart the VM 


Connect to and interact with a VM using a variety of 
consoles 


View a variety of information about the VM 


Adjust the host memory allocated to а VM 


Manage network connections for the VM 


Manage the VM storage available on the host and 


attach virtual disks to the VM 


Configure the virtual CPU settings of the VM 


Creating virtual machines and installing guest 
operating systems using the web console 


Deleting virtual machines using the web console 


Starting virtual machines using the web consoleand 
Shutting down and restarting virtual machines using 
the web console 


Interacting with virtual machines using the web 
console 


Viewing virtual machine information using the web 
console 


Adding and removing virtual machine memory using 
the web console 


Using the web console for managing virtual machine 
network interfaces 


Managing storage for virtual machines using the web 
console 


Managing virtual CPUs using the web console 


27.4. DIFFERENCES BETWEEN VIRTUALIZATION FEATURES IN 
VIRTUAL MACHINE MANAGER AND THE WEB CONSOLE 


The Virtual Machine Manager (virt-manager) application is supported in RHEL 8, but has been 
deprecated. The web console is intended to become its replacement in a subsequent major release. It is, 
therefore, recommended that you get familiar with the web console for managing virtualization in a GUI. 


However, in RHEL 8, some VM management tasks can only be performed in virt-manager or the 
command line. The following table highlights the features that are available in virt-manager but not 


available in the RHEL 8.0 web console. 


If a feature is available in a later minor version of RHEL 8, the minimum RHEL 8 version appears in the 


Support in web console introduced column. 


Table 27.2. VM managemennt tasks that cannot be performed using the web console in RHEL 8.0 


Support in web console 


introduced 


Alternative method using CLI 


Setting a virtual machine to start RHEL 8.1 


when the host boots 
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Support in web console Alternative method using CLI 


introduced 


Suspending a virtual machine RHEL 8.1 virsh suspend 
Resuming a suspended virtual RHEL 8.1 virsh resume 
machine 

Creating file-system directory RHEL 8.1 virsh pool-define-as 


storage pools 


Creating NFS storage pools RHEL 8.1 virsh pool-define-as 


Creating physical disk device RHEL 8.1 virsh pool-define-as 
storage pools 


Creating LVM volume group RHEL 8.1 virsh pool-define-as 
storage pools 


Creating partition-based storage CURRENTLY UNAVAILABLE virsh pool-define-as 
pools 
Creating GlusterFS-based CURRENTLY UNAVAILABLE virsh pool-define-as 


storage pools 


Creating VHBA-based storage CURRENTLY UNAVAILABLE virsh pool-define-as 
pools with SCSI devices 


Creating Multipath-based storage CURRENTLY UNAVAILABLE virsh pool-define-as 

pools 

Creating RBD-based storage CURRENTLY UNAVAILABLE virsh pool-define-as 

pools 

Creating a new storage volume RHEL 8.1 virsh vol-create 

Adding a new virtual network RHEL 8.1 virsh net-create or virsh net- 
define 

Deleting a virtual network RHEL 8.1 virsh net-undefine 

Creating a bridge from a host CURRENTLY UNAVAILABLE virsh iface-bridge 

machine's interface to a virtual 

machine 

Creating a snapshot CURRENTLY UNAVAILABLE virsh snapshot-create-as 

Reverting to a snapshot CURRENTLY UNAVAILABLE virsh snapshot-revert 
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Support in web console Alternative method using CLI 


introduced 


Deleting a snapshot CURRENTLY UNAVAILABLE virsh snapshot-delete 
Cloning a virtual machine CURRENTLY UNAVAILABLE virt-clone 
Migrating a virtual machine to CURRENTLY UNAVAILABLE virsh migrate 


another host machine 


Additional resources 


e For information on the Virtual Machine Manager, see RHEL 7 documentation. 
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CHAPTER 28. MANAGING REMOTE SYSTEMS IN THE WEB 
CONSOLE 


Connect to the remote systems and manage them in the RHEL 8 web console. 
The following chapter describes: 

e The optimal topology of connected systems. 

e How to add and remove remote systems. 


€ When, why, and how to use SSH keys for remote system authentication. 


Prerequisites 


€ Opened the SSH service on remote systems. 


28.1. REMOTE SYSTEM MANAGER IN THE WEB CONSOLE 


Using the RHEL 8 web console to manage remote systems in the network requires considering the 
topology of connected servers. 


For optimal security, Red Hat recommends the following connection setup: 


€ Useone system with the web console as a bastion host. The bastion host is a system with 
opened HTTPS port. 


e All other systems communicate through SSH. 


With the web interface running on the bastion host, you can reach all other systems through the SSH 
protocol using port 22 in the default configuration. 
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Remote 
System 
M" Remote 
a System 


cockpit.socket using 


HTTP on port 9090 oe == м 
«Ы be 1 


RHEL Local System Remote 
(RHEL) ON System 
5? 


web console 


Remote 
System 


Remote 
System 


---- SSHon port22 


28.2. ADDING REMOTE HOSTS TO THE WEB CONSOLE 


This section helps you to connect other systems with a user name and password. 


Prerequisites 
€ You need to be logged into the web console with administration privileges. 
For details, see Logging in to the web console . 
Procedure 


1. In the RHEL 8 web console, click on your username@hosiname in the top left corner of the 
Overview page. 
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euser@ 


mymachine 


Overview 


Logs 


2. In the drop down menu, click the Add new host button. 
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euser@ 


mymachine 


Hosts 


euser @ 


mymachine 


taccountl 


localhost 


Edit hosts 


Add new host 


. In the Add new host dialog box, specify the host you want to add. 


. (Optional) Add the user name for the account to which you want to connect. 


You can use any user account of the remote system. However, if you use credentials of a user 
account without administration privileges, you will not be able to perform administration tasks. 


If you use the same credentials as for your local system, the web console will authenticate 
remote systems automatically every time you log in. However, using the same credentials on 
more machines could be a potential security risk. 


. (Optional) Click the Color field to change the color of the system. 


. Click Add. 
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The new host will appear in the list of hosts in the username@hostname drop down menu. 


NOTE 


The web console does not save passwords used to log in to remote systems which means 
that you have to log in again after each system restart. Next time you log in, click the Log 
in button placed on the main screen of the disconnected remote system to open the 
login dialog. 


Not connected to host 


Login failed 


Login 


28.3. REMOVING REMOTE HOSTS FROM THE WEB CONSOLE 


This section guides you on removing other systems from the web console. 


Prerequisites 


e Remote systems added. 
For details, see Section 28.2, "Adding remote hosts to the web console" . 


e You must be logged into the web console with administrator privileges. 
For details, see Logging in to the web console . 


Procedure 


1. Login to the RHEL 8 web console. 


2. Click on your username@hostname in the top left corner of the Overview page. 
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euser@ 


mymachine 


Overview 


Logs 


3. Click the Edit Server icon. 
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euser@ 


mymachine 


mymachine 


ccountl 


localhost 


Edit hosts 


Add new host 


4. To remove a host from web console, click the red minus sign button next to its host name. Note 
that you cannot remove a host you are currently connected to. 
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taccounti@ 


localhost 


localhost 


Stop editing hosts 


Add new host 


As a result, the server is removed from your web console. 


28.4. ENABLING SSH LOGIN FOR A NEW HOST 


When you add a new host you can also log into it with an ssh key. If you already have an ssh key on your 
system, the web console will use the existing one; otherwise, the web console can create a key. 


Prerequisites 
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e You need to be logged into the web console with administration privileges. 
For details, see Logging in to the web console . 


Procedure 


1. In the RHEL 8 web console, click on your username@hosiname in the top left corner of the 
Overview page. 


euser@ 


mymachine 


Overview 


Logs 


2. Inthe drop down menu, click the Add new host button. 
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euser@ 


mymachine 


Hosts 


euser @ 


mymachine 


ie m = 


taccountl 


localhost 


Edit hosts 


Add new host 


. In the Add new host dialog box, specify the host you want to add. 


. Add the user name for the account to which you want to connect. 


You can use any user account of the remote system. However, if you use credentials of a user 
account without administration privileges, you will not be able to perform administration tasks. 


. (Optional) Click the Color field to change the color of the system. 


. Click Add. 


A new dialog window will appear asking for a password. 


. Enter the user account password. 
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8. Check Authorize ssh keyif you already have an ssh key. 
Log in to mymachine x 


Unable to log in to euser@mymachine using SSH key authentication. Please provide the 
password. You may want to set up your SSH keys for automatic login. 


Password 0000000000) 


Automatic login |м Authorize SSH key. 


The SSH key /home/euser/.ssh/id rsa of euser on localhost will be 
added to the —/.ssh/authorized keys file of euser on mymachine. 


This will allow you to log in without password in the future. 


9. Check Create a new SSH key and authorize itif you do not have an SSH key. The web console 
will create it for you. 


Log in to mymachine x 


Unable to log in to euser@mymachine using SSH key authentication. Please provide the 
password. You may want to set up your SSH keys for automatic login. 


Password 


Automatic login (м Create a new SSH key and authorize it. 


A new SSH key at /home/euser/.ssh/id rsa will be created for euser 
on localhost and it will be added to the —/.ssh/authorized keys file 
of euser on mymachine. 


Key password 


Confirm key password 
In order to allow log in to mymachine as euser without password in 


the future, use the login password of euser on localhost as the key 
password, or leave the key password blank. 


a. Add a password for the SSH key. 
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b. Confirm the password. 


10. Click Log in 
The new host will appear in the list of hosts in the username@hostname drop down menu. 


Verification steps 
1. Log out. 
2. Log back in. 
3. Click Log inin the Not connected to hostscreen. 


4. Select SSH key as your authentication option. 


Log in to mymachine 


The SSH key for logging in to euseremymachine is protected. You can log in with either 
your login password or by providing the password of the key at /home/euser/.ssh/id rsa. 
You may want to change the password of the key for automatic login. 


Authentication (©) Password | (€ SSH key 


Key password өөөөөөөө| 


The SSH key /home/euser/.ssh/id rsa will be made available for the remainder of 


the session and will be available for login to other hosts as well. 


Automatic login || ) Change the password of /home/euser/.ssh/id rsa. 


Cancel 


5. Enter your key password. 


6. Click Log in. 


Additional resources 


€ Using secure communications between two systems with OpenSSH 
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CHAPTER 29. CONFIGURING SINGLE SIGN-ON FOR THE 
RHEL 8 WEB CONSOLE IN THE IDM DOMAIN 


Learn how to use Single Sign-on (SSO) authentication provided by Identity Management (IdM) in the 
RHEL 8 web console. 


Advantages: 
e IdM domain administrators can use the RHEL 8 web console to manage local machines. 


€ Users with a Kerberos ticket in the IdM domain do not need to provide login credentials to 
access the web console. 


e All hosts known to the IdM domain are accessible via SSH from the local instance of the RHEL 8 
web console. 


e Certificate configuration is not necessary. The console's web server automatically switches to a 
certificate issued by the IdM certificate authority and accepted by browsers. 


This chapter covers the following steps to configure SSO for logging into the the RHEL web console: 


1. Add machines to the IdM domain using the RHEL 8 web console. 
For details, see Section 29.1, "Joining a RHEL 8 system to an IdM domain using the web 
console". 


2. If you want to use Kerberos for authentication, you need to obtain a Kerberos ticket on your 
machine. 
For details, see Section 29.2, "Logging in to the web console using Kerberos authentication" . 


3. Allow administrators on the IdM server to run any command on any host. 
For details, see Section 29.3, "Enabling admin sudo access to domain administrators on the IdM 
server", 


Prerequisites 


e The RHEL web console installed on RHEL 8 systems. 
For details, see Installing the web console. 


e IdM client installed on systems with the RHEL web console. 
For details, see IdM client installation. 


29.1. JOINING A RHEL 8 SYSTEM TO AN IDM DOMAIN USING THE WEB 
CONSOLE 


You can use the web console to join the Red Hat Enterprise Linux 8 system to the Identity Management 
(IdM) domain. 


Prerequisites 


e The IdM domain is running and reachable from the client you want to join. 


€ You have the IdM domain administrator credentials. 


Procedure 
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1. Log into the RHEL web console. 
For details, see Logging in to the web console . 


2. Open the System tab. 


3. Click Join Domain. 


[E] webconsole у Hardware QEMU Standard PC 6612 CPU cores 
100 
(1440FX + РИХ, 1996) 


D e89c7da66c204ec3a... 


z System Red Hat Enterprise 


Linux 8.0 
(Ootpa) 
Memory & Swap 
System Up To Date 
eys Show fingerprints 


ame webconsole (webco... 


e 2019-02-04 13:51 9 


Restart ~ KiB/s Disk I/O 


4. In the Join a Domain dialog box, enter the host name of the IdM server in the Domain Address 
field. 


5. Inthe Authentication drop down list, select if you want to use a password or a one-time 
password for authentication. 


Join a Domain 


Domain Address | server.idm.example.com 
Authentication | One Time Password v | 
One Time Password | Administrator Password 


One Time Password 


6. In the Domain Administrator Name field, enter the user name of the IdM administration 
account. 


7. In the password field, add the password or one-time password according to what you selected in 
the Authentication drop down list earlier. 


8. Click Join. 
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Join a Domain 


Domain Address | server.idm.example.com 


Authentication | Administrator Password v 


Domain Administrator Name | admin 


Verification steps 


1. If the RHEL 8 web console did not display an error, the system has been joined to the IdM 
domain and you can see the domain name in the System screen. 


2. To verify that the user is a member of the domain, click the Terminal page and type the id 
command: 


$ id 

euid-548800004(example user) gid-548800004(example user) 
groups-548800004(example user) context-zunconfined u:unconfined r:unconfined t:sO- 
s0:c0.c1023 


Additional resources 
e Planning Identity Management 
e Installing Identity Management 


e Configuring and managing Identity Management 


29.2. LOGGING IN TO THE WEB CONSOLE USING KERBEROS 
AUTHENTICATION 


The following procedure describes steps on how to set up the RHEL 8 system to use Kerberos 
authentication. 


IMPORTANT 


With SSO you usually do not have any administrative privileges in the web console. This 
only works if you configured passwordless sudo. The web console does not interactively 
ask for a sudo password. 


Prerequisites 
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e IdM domain running and reachable in your company environment. 
For details, see Section 29.1, "Joining a RHEL 8 system to an IdM domain using the web console" 


€ Enable the cockpit.socket service on remote systems to which you want to connect and 
manage them with the RHEL web console. 
For details, see Installing the web console. 


e |{ {һе system does not use a Kerberos ticket managed by the SSSD client, try to request the 
ticket with the kinit utility manually. 


Procedure 


Log in to the RHEL web console with the following address: https://dns name:9090. 


At this point, you are successfully connected to the RHEL web console and you can start with 
configuration. 


System - webconsole - Mozilla Firefox - о x 
fà System - webconsole х + 
€ C OQ | Q, https://webconsole.idm.example.com:9090/system v у М 0 Ө = 
Xt Most Visited $ Most Visited ФЭ Fedora Docs fi Fedora Magazine ЁЗ FedoraProject F3 User Communities Red Hat Free Content с? OrangeHRM » 
RED HAT ENTERPRISE LINUX & Example Use 
E webconsole Hardware QEMU Standard PC % of 2 CPU cores 


(I440FX + PIIX, 1996) 
System е10 e89c7da66c204ec3a76... 50 
є g System Red Hat Enterprise 
iz Linux 8.0 Beta (Ootpa) 2 ad a T Tm nie 
System Up To Date 
GIB Memory & Swap 
Show fingerprints 


Host Name webconsole (webcons. 


2.85 [EESS!)E2 X cbekci^ | ^|Óó)gÀiGoooaoaoood] 
T = 1.50 
ain idm.example.com 1 
0.500 
ne 2019-02-19 12:48 9 5 
1 18:45 18:46 18:47 18:48 


S | Restart | ~ 
e virtual-guest MiB/s Disk I/O 
@ Enable stored 


metrics... 


29.3. ENABLING ADMIN SUDO ACCESS TO DOMAIN 
ADMINISTRATORS ON THE IDM SERVER 


The following procedure describes steps on how to allow domain administrators to run any command on 
any host in the Identity Management (IdM) domain. 


To accomplish this, enable sudo access to the admins user group created automatically during the IdM 
server installation. 


All users added to the admins group will have sudo access if yourun ipa-advise script on the group. 


Prerequisites 


€ The server runs IdM 4.7.1 or later. 


Procedure 
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1 Connect to the IdM server. 


2. Run the ipa-advise script: 
| $ ipa-advise enable-admins-sudo | sh -ex 


If the console did not display an error, the admins group have admin permissions on all machines in the 
IdM domain. 
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CHAPTER 30. CONFIGURING SMART CARD 
AUTHENTICATION WITH THE WEB CONSOLE FOR 
CENTRALLY MANAGED USERS 


Configure smart card authentication in the RHEL 8 web console for users who are centrally managed by: 
e Identity Management 


€ Active Directory which is connected in the cross-forest trust with Identity Management 


IMPORTANT 


Smart card authentication does not elevate administrative privileges yet and the web 
console opens in the web browser in the read-only mode. 


| You can run administrative commands in the built-in terminal with `ѕиао`. 


Prerequisites 


e The system for which you want to use the smart card authentication must be a member of an 
Active Directory or Identity Management domain. 
For details about joining the RHEL 8 system into a domain using the web console, see Joining a 
RHEL 8 system to an IdM domain using the web console. 


e The certificate used for the smart card authentication must be associated with a particular user 
in Identity Management or Active Directory. 
For more details about associating a certificate with the user in Identity Management, see 
Adding a certificate to a user entry in IdM . 


30.1. SMART CARD AUTHENTICATION FOR CENTRALLY MANAGED 
USERS 


A smart card is a physical device, which can provide personal authentication using certificates stored on 
the card. Personal authentication means that you can use smart cards in the same way as user 
passwords. 

You can store user credentials on the smart card in the form of a private key and a certificate. Special 
software and hardware is used to access them. You insert the smart card into a reader or a USB socket 
and supply the PIN code for the smart card instead of providing your password. 


Identity Management (IdM) supports smart card authentication with: 


€ User certificates issued by the IdM certificate authority. For details, see Configuring Identity 
Management for smart card authentication. 


e User certificates issued by the Active Directory Certificate Service (ADCS) certificate authority. 
For details, see Configuring certificates issued by ADCS for smart card authentication in IdM . 


р МОТЕ 


If you want to start to use smart card authentication, see the hardware requirements: 
Smart Card support іп RHEL8. 
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30.2. INSTALLING TOOLS FOR MANAGING AND USING SMART CARDS 


To configure your smart card, you need tools which can generate certificates and store them on a smart 
card. 


You must: 
e Install the gnutls-utils package which helps you to manage certificates. 


e Install the opensc package which provides a set of libraries and utilities to work with smart 
cards. 


e Start the pcscd service which communicates with the smart card reader. 


Procedure 


1. Install the opensc and gnutls-utils packages: 
| # dnf -y install opensc gnutls-utils 


2. Start the pescd service. 


| # systemctl start pcscd 


Verify that the pcscd service is up and running. 


30.3. STORING A CERTIFICATE ON A SMART CARD 
This section describes smart card configuration with the pkcs15-init tool, which helps you to configure: 
e Erasing your smart card 
e Setting new PINs and optional PIN Unblocking Keys (PUKs) 
€ Creating a new slot on the smart card 
€ Storing the certificate, private key, and public key in the slot 


€ Locking the smart card settings (some smart cards require this type of finalization) 


Prerequisites 


€ The opensc package, which includes the pkcs15-init tool is installed. 
For details, see Installing tools for managing and using smart cards . 


e The card is inserted in the reader and connected to the computer. 
€ You have the private key, public key, and certificate to store on the smart card. In this 
procedure, testuser.key, testuserpublic.key, and testuser.crt are the names used for the 


private key, public key, and the certificate. 


€ Your current smart card user PIN and Security Officer PIN (SO-PIN) 


Procedure 
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. Erase your smart card and authenticate yourself with your PIN: 


$ pkcs15-init --erase-card --use-default-transport-keys 
Using reader with a card: Header name 

PIN [Security Officer PIN] required. 

Please enter PIN [Security Officer PIN]: 


The card has been erased. 


. Initialize your smart card, set your user PIN and PUK, and your Security Officer PIN and PUK: 


$ pkcs15-init --create-pkcs15 --use-default-transport-keys \ 
--pin 963214 --puk 321478 --so-pin 65498714 --so-puk 784123 
Using reader with a card: Header name 


The pcks15-init tool creates a new slot on the smart card. 


. Set the label and the authentication ID for the slot: 


$ pkcs15-init --store-pin --label testuser \ 
--auth-id 01 --so-pin 65498714 --pin 963214 --puk 321478 
Using reader with a card: Reader name 


The label is set to a human-readable value, in this case, testuser. The auth-id must be two 
hexadecimal values, in this case it is set to 01. 


. Store and label the private key in the new slot on the smart card: 


$ pkcs15-init --store-private-key testuser.key --label testuser key V 
--auth-id 01 --id 01 --pin 963214 
Using reader with a card: Header name 


NOTE 
The value you specify for --id must be the same when storing your private key, 


and certificate. If you do not specify a value for --id, a more complicated value is 
^ calculated by the tool and it is therefore easier to define your own value. 


5. Store and label the certificate in the new slot on the smart card: 


$ pkcs15-init --store-certificate testuser.crt --label testuser crt 
--auth-id 01 --id 01 --format pem --pin 963214 
Using reader with a card: Reader name 


6. (Optional) Store and label the public key in the new slot on the smart card: 


$ pkcs15-init --store-public-key testuserpublic.key 
--label testuserpublic_key --auth-id 01 --id 01 --pin 963214 
Using reader with a card: Reader name 
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7. 


30.4. 


NOTE 


If the public key corresponds to a private key and/or certificate, you should 
specify the same ID as that private key and/or certificate. 


(Optional) Some smart cards require you to finalize the card by locking the settings: 
| $ pkcs15-init -F 


At this stage, your smart card includes the certificate, private key, and public key in the newly 
created slot. You have also created your user PIN and PUK and the Security Officer PIN and 
PUK. 


ENABLING SMART CARD AUTHENTICATION FOR THE WEB 


CONSOLE 


To be able to use smart card authentication in the web console, enable smart card authentication in the 
cockpit.conf file. 


Additionally, you can disable password authentication in the same file. 


Prerequisites 


The RHEL 8 web console has been installed. 
For details, see Installing the web console. 


Procedure 


1. 


30.5. 


Log in to the RHEL web console with administrator privileges. 
For details, see Logging in to the web console . 


. Click Terminal. 


. In the /etc/cockpit/cockpit.conf, set the ClientCertAuthentication to yes: 


[WebService] 
ClientCertAuthentication = yes 


. Optionally, disable password based authentication in cockpit.conf with: 


[Basic] 
action = none 


This configuration disables password authentication and you must always use the smart card. 


. Restart the web console to make sure that the cockpit.service accepts the change: 


| # systemctl restart cockpit 


LOGGING IN TO THE WEB CONSOLE WITH SMART CARDS 


You can use smart cards to log in to the web console. 
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Prerequisites 


e Avalid certificate stored in your smart card that is associated to a user account created in a 
Active Directory or Identity Management domain. 


€ PIN to unlock the smart card. 


e The smart card has been put into the reader. 


Procedure 


1. Open your web browser and add the web console's address in the address bar. 
The browser asks you to add the PIN protecting the certificate stored on the smart card. 


2. In the Password Required dialog box, enter PIN and click OK. 
3. In the User Identification Request dialog box, select the certificate stored in the smart card. 


4. Select Remember this decision. 
The system does not open this window next time. 


5. Click OK. 


You are now connected and the web console displays its content. 


30.6. LIMITING USER SESSIONS AND MEMORY TO PREVENT A DOS 
ATTACK 


Certificate authentication is protected by separating and isolating instances of the cockpit-ws web 
server against attackers who wants to impersonate another user. However, this introduces a potential 
Denial of Service (DoS) attack: A remote attacker could create a large number of certificates and send a 
large number of HTTPS requests to cockpit-ws each using a different certificate. 


To prevent this DoS, the collective resources of these web server instances are limited. By default, limits 
to the number of connections and to memory usage are set to 200 threads and a 7596 (soft) / 9096 


(hard) memory limit. 


The following procedure describes resource protection by limiting the number of connections and 
memory. 


Procedure 
1. In the terminal, open the system-cockpithttps.slice configuration file: 


| # systemctl edit system-cockpithttps.slice 


2. Limit the TasksMax to 100 and CPUQuota to 30%: 


[Slice] 

# change existing value 
TasksMax-100 

# add new restriction 
CPUQuota=30% 


3. To apply the changes, restart the system: 
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# systemctl daemon-reload 
# systemctl stop cockpit 


Now, the new memory and user session limits protect the cockpit-ws web server from DoS attacks. 


30.7. ADDITIONAL RESOURCES 


e For more details on configuring certificates issued by IdM for smart card authentication, see the 
Configuring Identity Management for smart card authentication . 


e For more details on configuring certificates issued by ADCS for smart card authentication, see 
the Configuring certificates issued by ADCS for smart card authentication in IdM . 


€ For more details on configuring certificates issued by local CA for smart card authentication, 


see the Configuring and importing local certificates to a smart card . :context: system- 
management-using-the-RHEL -8-web-console 
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